For the last few months, RansomHub a cybercriminal group has partnered with FakeUpdates a malware-as-a-service (MaaS) to deliver ransomware against US government organizations. The threat actor behind FakeUpdates is “SocGholish”.
Who is RansomHub
RansomHub first came to public attention in February 2024, operating as a Ransomware-as-a-Service (RaaS) group.The group offers a higher level of autonomy and lucrative commission rates for its affiliates. In its advertisements on forums, RansomHub promises affiliates a 90% commission, making it the highest-paying group in the ransomware market.
During their first spree, they have claimed 227 victims in 207 days. According to a leak, the group consists of members from various countries around the world and has a established rule that affiliates should not attack on nations affiliated with Russia, including former Soviet Union countries, Cuba, North Korea, and China.
Why it Matters
This attack shows the growing trend of threat actors forming alliances to increase their success and generate more profits through cybercrime. This could set a dangerous precedent for other cybercriminal groups and threat actors. Currently, RansomHub, which uses SocGholish as an access provider, has around 18 active command-and-control (C2) servers running.
These servers rotate domains at least once a week, a strategy that “may increase the likelihood of successful infections,” as noted by the researchers. Moreover, SocGholish uses compromised domains to support their infrastructure, specifically creating new subdomains for use with their malware-as-a-service (MaaS) framework.
How it Works
Attack Chain(Source: TrendMicro)
Initial compromise: Threat actors inject malicious scripts into legitimate websites
Traffic redirection: Compromised sites redirect visitors through rogue Keitaro Traffic Distribution Systems
Social engineering: Users are shown fake browser update notifications
Payload delivery: When users download and execute the supposed “update,” the SocGholish JavaScript loader is installed
Command & control: The loader connects to attacker servers for instructions
Credential theft: Extracts passwords from browsers and system files
Backdoor installation: Deploys persistent Python-based backdoors
Data exfiltration: Transfers stolen credentials and screenshots to attacker servers
Lateral movement: Uses stolen credentials to compromise additional systems
Ransomware deployment: RansomHub ransomware is ultimately deployed
Impact
RansomHub ranking: Currently the third most impactful ransomware player in terms of organizations affected by data breaches, behind only Akira and CL0P
Geographic impact: Highest detections in the U.S., followed by Japan and Taiwan
Most affected sectors: Government entities (1st), banking (2nd), and consulting (3rd)
Compromised websites: Thousands identified in 2025 alone
TDS domains: “blackshelter[.]org” (1,297 compromised sites), “rednosehorse[.]com” (932 sites), “newgoodfoodmarket[.]com” (550 sites)
MITRE ATT&CK techniques
Initial access: T1608.004 (Drive-by Target)
Execution: T1204.002 (User Execution: Malicious File), T1059.007 (JavaScript)
Persistence: T1053.005 (Scheduled Task)
Credential access: T1555.003 (Credentials from Web Browsers), T1003.002 (OS Credential Dumping)
Discovery: T1087.002 (Domain Account Discovery), T1069.002 (Domain Groups)
Command and control: T1095 (Non-Application Layer Protocol), T1572 (Protocol Tunneling)
The Bottom Line
Organizations need strong security measures including extended detection and response solutions (EDR), endpoint hardening, and secure content management systems to protect against these sophisticated threats.
Follow us on X and Linkedin for the latest cybersecurity news.
Source: hxxps[://]www[.]trendmicro[.]com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
