| SYMBOL | COMMON_NAME | aka. SYNONYMS |
GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.
| 2024-09-30
⋅
X (@GenThreatLabs)
⋅
Tweet on FAKEUPDATES pushing WARMCOOKIE backdoor via compromised websites targeting France FAKEUPDATES WarmCookie |
| 2024-07-09
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update January to June 2024 Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver |
| 2024-07-02
⋅
Malsada Tech
⋅
The LandUpdate808 Fake Update Variant FAKEUPDATES |
| 2024-04-30
⋅
Intrinsec
⋅
Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery FAKEUPDATES Matanbuchus |
| 2024-01-12
⋅
Spamhaus
⋅
Spamhaus Botnet Threat Update Q4 2023 FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver |
| 2023-12-12
⋅
Check Point Research
⋅
November 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus FAKEUPDATES AsyncRAT |
| 2023-08-31
⋅
Rapid7 Labs
⋅
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT |
| 2023-02-26
⋅
Proofpoint
⋅
TA569: SocGholish and Beyond FAKEUPDATES RedLine Stealer solarmarker |
| 2022-11-07
⋅
SentinelOne
⋅
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders FAKEUPDATES |
| 2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak |
| 2022-10-27
⋅
Microsoft
⋅
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest |
| 2022-08-19
⋅
nccgroup
⋅
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack FAKEUPDATES Cobalt Strike LockBit |
| 2022-08-16
⋅
SUCURI
⋅
SocGholish: 5+ Years of Massive Website Infections FAKEUPDATES |
| 2022-07-30
⋅
The Hacker News
⋅
Microsoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers FAKEUPDATES Raspberry Robin |
| 2022-06-13
⋅
Jorge Testa
⋅
Killing The Bear - Evil Corp FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker |
| 2022-06-08
⋅
Malwarebytes Labs
⋅
MakeMoney malvertising campaign adds fake update template FAKEUPDATES |
| 2022-06-02
⋅
Mandiant
⋅
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker |
| 2022-05-25
⋅
Medium walmartglobaltech
⋅
SocGholish Campaigns and Initial Access Kit FAKEUPDATES Blister Cobalt Strike NetSupportManager RAT |
| 2022-05-09
⋅
Microsoft
⋅
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT |
| 2022-05-06
⋅
Twitter (@MsftSecIntel)
⋅
Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity FAKEUPDATES Blister Cobalt Strike LockBit |
| 2022-04-25
⋅
Cybereason
⋅
THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems FAKEUPDATES Zloader |
| 2022-04-10
⋅
Digital Information World
⋅
Threatening Redirect Web Service Instills Malicious Campaigns In Over 16,500 Websites FAKEUPDATES |
| 2022-04-07
⋅
Avast Decoded
⋅
Parrot TDS takes over web servers and threatens millions FAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT |
| 2022-04-05
⋅
Trend Micro
⋅
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload FAKEUPDATES Blister LockBit |
| 2022-04-05
⋅
Trend Micro
⋅
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs) FAKEUPDATES Blister LockBit |
| 2022-04-04
⋅
⋅
LAC WATCH
⋅
Confirmation of damage to domestic e-commerce sites, actual situation of Web skimming attacks and examples of countermeasures that Rack thinks (Water Pamola) FAKEUPDATES |
| 2022-03-22
⋅
Red Canary
⋅
2022 Threat Detection Report FAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT |
| 2022-02-26
⋅
Mandiant
⋅
TRENDING EVIL Q1 2022 KEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot |
| 2021-07-22
⋅
Expel
⋅
Incident report: Spotting SocGholish WordPress injection FAKEUPDATES |
| 2021-01-01
⋅
Secureworks
⋅
GOLD PRELUDE GOLD PRELUDE |
| 2020-12-17
⋅
Menlo Security
⋅
Increase In Attack: SocGholish FAKEUPDATES |
| 2020-03-16
⋅
Mandiant
⋅
They Come in the Night: Ransomware Deployment Trends FAKEUPDATES |
| 2018-04-10
⋅
Malwarebytes Labs
⋅
‘FakeUpdates’ campaign leverages multiple website platforms FAKEUPDATES |