The downloaded “Update.zip” contains “Update.js,” a JScript file that sends a POST request to the SocGholish C2 server at “hxxps://exclusive.nobogoods[.]com/updateStatus” to retrieve the next stage of the attack. Upon downloading the malicious “Update.zip” file, users unknowingly execute a SocGholish JScript file that initiates communication with the attacker’s command and control infrastructure. Researchers noted that RansomHub affiliates were strategically choosing targets after the initial compromise, with approximately 6.5 minutes elapsing between the first contact with the command and control server and the delivery of the python backdoor. This reconnaissance activity enables threat actors to strategically evaluate potential victims, allowing them to focus their efforts on high-value targets while effectively evading security researchers and sandbox environments. Initial access occurs when victims visit a compromised website (in the documented case, “butterflywonderland[.]com”) and are prompted to update Microsoft Edge. The ransomware group operates by deploying SocGholish (also known as FakeUpdates) malware as an initial access vector, which then collects detailed system information before deploying a python-based backdoor. For selected targets, the attackers deploy a python backdoor that establishes a SOCKS proxy, allowing threat actors to perform reconnaissance and lateral movement throughout the victim’s network. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. After collecting system information, the malware executes LOLBin commands like “net use” and “systeminfo” to gather additional intelligence about the compromised environment. A new Ransomware-as-a-Service (RaaS) group called RansomHub emerged in the cybercriminal ecosystem, specializing in targeting high-profile organizations through sophisticated attack vectors. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The infection chain begins with victims visiting a compromised WordPress site that displays a page instructing them to update their browser. RansomHub has quickly established itself as a formidable threat to corporate networks worldwide through its multi-stage attack methodology and evasive techniques. The group advertises its criminal services on the Russian Anonymous Market Place (RAMP), a notorious Dark Web forum known for hosting various cybercriminal activities.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Apr 2025 16:09:59 +0000