FAKEUPDATES
Also known as: FakeUpdate, GhoLoader, SocGholish
FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.
FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 18, 2026 | 1 |
| Apr 17, 2026 | 1 |
| Apr 15, 2026 | 1 |
| Apr 14, 2026 | 1 |
Further Reading
Discover how MintsLoader operates as a stealthy, obfuscated malware loader distributing GhostWeaver, StealC, and BOINC. Read Recorded Future’s in-depth analysis of its evasion tactics, DGA-based C2...
SocGholish operators continue to infect websites at a massive scale, and the threat actor is ramping up its infrastructure to match.
SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to clients, usually in the form of fake updates.
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the Loc...
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and ex...