S1124: SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
Analyst context for executives and security teams
SocGholish matters because ATT&CK describes it as a JavaScript-based loader used for initial access, commonly through drive-by downloads that masquerade as software updates. For business leaders, the decision point is not only “can we block one malware family,” but whether web browsing, user-click paths, script execution, and follow-on payload delivery are visible enough for the SOC and incident response teams to act before secondary RAT or ransomware activity occurs.
Executive priority
Prioritize SocGholish as an initial-access and loader risk for Windows environments. It connects user browsing and fake-update lures to downstream intrusion enablement, including secondary payload download according to the supplied ATT&CK description. Leaders should ask whether the organization has evidence for web-originated script execution, malicious-link exposure, ingress tool transfer, discovery activity, and incident containment decisions. This is especially relevant to managed detection, IR readiness, vulnerability/control prioritization around browsers and scripting, and audit evidence showing that user-driven web threats are monitored and governed.
Technical view
ATT&CK lists SocGholish as Windows malware and relates it to behaviors including Drive-by Compromise, Spearphishing Link, Malicious Link, JavaScript execution, WMI execution, ingress tool transfer, web-service C2, discovery of system/user/network/process/software/domain trust/location data, local data staging, obfuscation via encrypted/encoded or compressed files, and exfiltration over unencrypted non-C2 protocols. Because official detection text is not provided, defenders should validate coverage by behavior: suspicious JavaScript or script-host activity following web or email link access; unexpected WMI execution; new tool or payload downloads; discovery commands or API usage; staging/compression/encoding artifacts; and outbound web-service or unencrypted protocol traffic inconsistent with the user or host baseline.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows, especially script hosts, browser-spawned processes, and WMI activity
- Web proxy, DNS, and HTTP/HTTPS metadata for drive-by-download and fake-update delivery paths
- Email security and URL-click telemetry for spearphishing-link or malicious-link exposure
- File creation, download, archive/compression, and encoded/encrypted artifact telemetry
- EDR observations of discovery behavior: user, process, network configuration, software, system information, location, and domain trust checks
Detection direction
- Start with behavior chains rather than a single indicator: browser or email-link access leading to JavaScript execution, downloaded payloads, WMI use, discovery, and outbound transfer activity.
- Tune detections for false positives from legitimate software updates, administrative WMI use, normal compressed downloads, and sanctioned web services; require sequence, parent-child process context, destination reputation, and user/host baselines where available.
- Validate blind spots in browser telemetry, proxy logging, DNS retention, script execution logs, and EDR visibility on endpoints where users can browse the web.
- Use relationship context to hunt for post-access triage behavior: system/user/process/software/network/domain trust/location discovery may indicate the loader is preparing for follow-on actions.
- Because MITRE provides no official detection guidance for this object, document which detections are behavior-derived and which depend on local logging, third-party intelligence, or vendor analytics.
Mitigation priorities
- Reduce initial-access exposure by hardening web and email link controls, including inspection of URLs and downloads associated with fake software update lures.
- Restrict unnecessary script execution and monitor JavaScript/JScript behavior on Windows endpoints, especially when spawned from browsers or recently downloaded files.
- Limit and monitor WMI use to expected administrative patterns; investigate abnormal WMI execution following web-originated activity.
- Control outbound traffic and file transfer paths so ingress tool transfer, web-service C2, and unencrypted exfiltration channels are easier to detect and contain.
- Maintain IR playbooks for loader events that include isolating affected Windows hosts, preserving browser/download/script artifacts, and checking for secondary RAT or ransomware payload delivery as described in the ATT&CK object.
Analyst notes and limits
The supplied ATT&CK object identifies SocGholish as a JavaScript-based loader used since at least 2017, primarily for initial access through drive-by downloads masquerading as software updates. It states SocGholish is operated by Mustard Tempest and that its access has been sold to groups including Indrik Spider. The strongest defensive value comes from validating the full access-to-follow-on chain across web, endpoint, script, discovery, and egress telemetry rather than relying on malware naming alone.
Official detection content is not provided, tactics are not specified on the malware object itself, and the primary platform listed for the object is Windows. Related techniques include broader platform metadata, but local detection planning should be anchored to the supplied SocGholish platform and confirmed against the organization’s actual environment, logging, and control stack.
SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SocGholish has the ability to enumerate system information including the victim computer name.CitationSocGholish-updateCitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1614 | System Location Discovery | SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.CitationSecureworks Gold Prelude Profile |
| Enterprise | T1047 | Windows Management Instrumentation | SocGholish has used WMI calls for script execution and system profiling.CitationSocGholish-update |
| Enterprise | T1105 | Ingress Tool Transfer | SocGholish can download additional malware to infected hosts.CitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SocGholish has single or double Base-64 encoded references to its second-stage server URLs.CitationSentinelOne SocGholish Infrastructure November 2022 |
| Enterprise | T1482 | Domain Trust Discovery | SocGholish can profile compromised systems to identify domain trust relationships.CitationSocGholish-updateCitationRed Canary SocGholish March 2024 |
| Enterprise | T1059.007 | JavaScript Sub-technique | The SocGholish payload is executed as JavaScript.CitationSocGholish-updateCitationSentinelOne SocGholish Infrastructure November 2022CitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SocGholish has been named `AutoUpdater.js` to mimic legitimate update files.CitationSocGholish-update |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | SocGholish has been spread via emails containing malicious links.CitationSocGholish-update |
| Enterprise | T1033 | System Owner/User Discovery | SocGholish can use `whoami` to obtain the username from a compromised host.CitationSocGholish-updateCitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1189 | Drive-by Compromise | SocGholish has been distributed through compromised websites with malicious content often masquerading as browser updates.CitationSocGholish-update |
| Enterprise | T1204.001 | Malicious Link Sub-technique | SocGholish has lured victims into interacting with malicious links on compromised websites for execution.CitationSocGholish-update |
| Enterprise | T1518 | Software Discovery | SocGholish can identify the victim's browser in order to serve the correct fake update page.CitationSecureworks Gold Prelude Profile |
| Enterprise | T1057 | Process Discovery | SocGholish can list processes on targeted hosts.CitationSecureworks Gold Prelude Profile |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | SocGholish can send output from `whoami` to a local temp file using the naming convention `rad<5-hex-chars>.tmp`.CitationRed Canary SocGholish March 2024 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | SocGholish can exfiltrate data directly to its C2 domain via HTTP.CitationRed Canary SocGholish March 2024 |
| Enterprise | T1102 | Web Service | SocGholish has used Amazon Web Services to host second-stage servers.CitationSentinelOne SocGholish Infrastructure November 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.CitationSocGholish-updateCitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1027.015 | Compression Sub-technique | The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.CitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
Groups, software, and campaigns
G1020: Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8aa64baaedb0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne SocGholish Infrastructure November 2022
Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
Open source URL -
[2]
SocGholish-update
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Open source URL -
[3]
Red Canary SocGholish March 2024
Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
Open source URL -
[4]
Secureworks Gold Prelude Profile
Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
Open source URL -
[5]
FakeUpdates
(Citation: Red Canary SocGholish March 2024)
-
[6]
mitre-attack S1124Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.