Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation

MITRE Techniques

• [T1190 ] Exploit Public-Facing Application – Attackers compromise websites and web servers through weaknesses in WordPress, plugins, themes, CMS flaws, and hosting platforms (‘attacker might gain access through password spraying, leaked or reused credentials, vulnerabilities in the hosting platform, flaws in the CMS itself’).
• [T1078 ] Valid Accounts – Threat actors use leaked, reused, or stolen credentials to access hosting or CMS environments (‘leaked or reused credentials’).
• [T1110.003 ] Password Spraying – Access is obtained through repeated password attempts against websites and hosting environments (‘through password spraying’).
• [T1059.007 ] JavaScript – TA569 injects obfuscated JavaScript into compromised sites to deliver fake update content and trigger downloads (‘inject highly obfuscated JavaScript’).
• [T1059.003 ] Windows Command Shell – The infection chain includes WSH JScript execution and script-based payload delivery on Windows systems (‘The downloaded file is GhoLoader Stage 1 — a WSH JScript’).
• [T1204.001 ] User Execution: Malicious Link – Victims are lured through email URLs and redirected webpages that lead to malicious content (‘legitimate email traffic that contain URLs that link to compromised websites’).
• [T1204.002 ] User Execution: Malicious File – Users are tricked into downloading and running malware by clicking a fake update button (‘clicking it sends a “postMessage”… and triggers the download’).
• [T1189 ] Drive-by Compromise – Compromised websites deliver malware when a visitor passes filtering checks and loads the malicious page (‘they’re shown a page that appears to be a pop-up from their web browser’).
• [T1055 ] Process Injection – Malicious code is injected into the website response and loaded in-page through scripts and iframes (‘inject highly obfuscated JavaScript… into the main response of the website’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence is maintained with added users, backdoors, and planted plugins that re-establish access (‘establish additional ways back in’).
• [T1505.003 ] Server Software Component: Web Shell – Attackers place PHP backdoors and fake plugins on the server to maintain control (‘placing PHP backdoors outside the control of the CMS’).
• [T1036 ] Masquerading – Fake CMS plugins and update pages disguise malicious activity as legitimate administration or browser updates (‘fake CMS plugins that function as backdoors’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – The article describes mechanism-based persistence and repeated reinfection behaviors, though no explicit scheduled task is named; included only if interpreted as recurring automation (‘mechanism that keeps reintroducing the injection’).