@Malware_Brandon profile picture
Malware Brandon @Malware_Brandon

Security Researcher

Joined September 2024
  • Tweets 48
  • Following 145
  • Followers 122
13 Photos and videos
Pinned Tweet
Malware Brandon@Malware_Brandon
4 Nov 2024
1/X Here's some details on recent SOCGholish / FakeUpdates initial infections and the TDS (Keitaro?) that goes along with it. This loader uses compromised sites to display a fake "browser update" themed lure that, when clicked, downloads the malware.
4
15
52
6,304
New SocGholish / FakeUpdates Stage-3 domain of the day: * snap[.]promantree[.]com Stage-2 Script that calls it: virustotal.com/gui/file/868d…
1
3
233
New SocGholish Stage-3 domain: * api-app[.]uppercrafteroom[.]com Being served up by previously seen Stage-2: * content-website-analytics[.]com/script[.]js
1
1
202
(1/4) Several new SocGholish Stage-3 domains from the past month or so, with their respective VT Stage-2 script when available: • webmail[.]drainbusters1[.]com •• virustotal.com/gui/file/8343… •• virustotal.com/gui/file/ce56… • cpanel[.]sbkollel[.]org •• virustotal.com/gui/file/abcf…

1
2
7
863
more replies
(3/4) • webdisk[.]housecleaninggrovecityohio[.]com •• virustotal.com/gui/file/4077… • support[.]grovecityelectrician[.]com

1
1
2
259
(4/4) You can find all of these and ones I've listed in the past on my GitHub: github.com/MalwareBrandon/MB… #SocGholish

MB_Tactical_Intel/SocGholish-Stage2-and-Stage3-Infrastructure.txt at main · MalwareBrandon/MB_Tac...

Contribute to MalwareBrandon/MB_Tactical_Intel development by creating an account on GitHub.

github.com
6
12
3,516
1/X Several new SocGholish infrastructure (Stage-2 / Stage-3) domains added to the list from the past couple of months: github.com/MalwareBrandon/MB…

MB_Tactical_Intel/SocGholish-Stage2-and-Stage3-Infrastructure.txt at main · MalwareBrandon/MB_Tac...

Contribute to MalwareBrandon/MB_Tactical_Intel development by creating an account on GitHub.

github.com
1
1
118
more replies
4/X New file name for the Chrome Payload as well. Previous name: New Version (Click).js New name: Google Launcher.js Firefox and Edge filenames still seem the same: FF: MozillaUpdater.zip->Firefox.js Edge: <11 random alphanumeric chars>.js
1
74
5/5 A lot of newer compromised sites I'm seeing are skipping the old Stage-2 script and directly calling the Stage-3 domain. #SocGholish #FakeUpdates
75
Some new SocGholish Stage-3 domains observed in the last few days: - updates[.]highendmark[.]com - vps[.]denissalazar[.]com - devel[.]asurans[.]com Updated my list of infrastructure (Stage2 & Stage3) with some others seen in the past few months as well: github.com/MalwareBrandon/MB…

MB_Tactical_Intel/SocGholish-Stage2-and-Stage3-Infrastructure.txt at main · MalwareBrandon/MB_Tac...

Contribute to MalwareBrandon/MB_Tactical_Intel development by creating an account on GitHub.

github.com
1
157
- updates[.]highendmark[.]com - Stage-2 Script Calling this: virustotal.com/gui/file/f586… - vps[.]denissalazar[.]com - Stage-2 Script Calling this: virustotal.com/gui/file/2083… - devel[.]asurans[.]com - virustotal.com/gui/url/afa74…
89
Finally getting around to sharing the SocGholish infrastructure I've observed over the last year or two. Comprises of known initial Stage-2 and Stage-3 domains as well as the respective Stage-2 scripts found on VirusTotal. github.com/MalwareBrandon/MB…
1
11
64
4,969
Shout out to the following who have recently posted their analysis on #SocGholish and other #FakeUpdates threats in the past few weeks: @TRACLabs_ @RussianPanda9xx @threatinsight @Intel471Inc @GoogleCloudSec Hope this list helps some people out there with their own analysis.
1
2
292
Malware Brandon retweeted
Google Cloud Security@GoogleCloudSec
3 Mar 2025
Mandiant's latest blog post in the "Finding Malware" series dives deep into Fake Browser Update Attacks! 👾 Learn how these attacks use social engineering to deliver malicious payloads like FAKEUPDATES, FAKESMUGGLES, and FAKETREFF. Read the full post: bit.ly/43hDJ83
2
2
458
Malware Brandon retweeted
Threat Insight
@threatinsight
18 Feb 2025
With access to one of the largest, most diverse data sets in all of cybersecurity, @Proofpoint is dedicated to tracking and reporting threat actors and their evolving TTPs. This research blog is packed full of new cybercriminal insights including ⤵️ brnw.ch/21wQMVQ

An Update on Fake Updates: Two New Actors, and New Mac Malware | Proofpoint US

Key findings Proofpoint identified and named two new cybercriminal threat actors operating components of web inject campaigns, TA2726 and TA2727. Proofpoint identified a new

proofpoint.com
1
10
28
2,598
Malware Brandon retweeted
RussianPanda 🐼 🇺🇦
@RussianPanda9xx
14 Feb 2025
Happy Valentine's folks ❤️ I am excited to share with you my recent research @TRACLabs_ on #SocGholish post-exploitation phase and delivery of #GhostWeaver backdoor. Huge thanks to @ValidinLLC and @badsectorlabs for providing great tools and labs that helped in my research. Link: trac-labs.com/dont-ghost-the… Love you all 🫶
5
35
160
8,802
Malware Brandon retweeted
No Starch Press
@nostarch
2 Dec 2024
18 hacking books. Name your price. Our Hacking 2024 @humble bundle is now LIVE. Support @ACLU & @EFF while leveling up your security game. #CyberMonday humblebundle.com/books/hacki…
6
154
399
50,392
Was previously seeing most of the final SOCGholish payload C2 URLs from the downloaded 'Update Script' end with "/orderReview", but a new sample pulled today is showing a possible switch to "/gotoCheckout". As seen in this new C2 URL: "*.events[.]socalpocis[.]org/gotoCheckout"
1
3,967
Load more