Jun 3, 2026
C2 Hosts: 1
FAKEUPDATES
Also known as: FakeUpdate, GhoLoader, SocGholish
FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.
FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.
Linked Threat Actors
GOLD PRELUDE
C2 Infrastructure
Hosting/VPS 89%
ISP/Residential 11%
Last 7 days
Jun 2, 2026
C2 Hosts: 1
Jun 1, 2026
C2 Hosts: 3
May 30, 2026
C2 Hosts: 1
May 29, 2026
C2 Hosts: 1
May 28, 2026
C2 Hosts: 2
| Date | C2 Hosts |
|---|---|
| Jun 3, 2026 | 1 |
| Jun 2, 2026 | 1 |
| Jun 1, 2026 | 3 |
| May 30, 2026 | 1 |
| May 29, 2026 | 1 |
| May 28, 2026 | 2 |
Further Reading
CoinLurker: The Stealer Powering the Next Generation of Fake Updates opens in a new tab
Learn about the evolution of fake update campaigns like CoinLurker, the techniques it uses and strategies to defend against this next-generation threat.
blog.morphisec.com
PROSPERO & Proton66: Uncovering the links between bulletproof networks opens in a new tab
Key findings This report presents: The Russian autonomous system PROSPERO (AS200593) could be linked […]
intrinsec.com
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog opens in a new tab
Microsoft coined the term “human-operated ransomware” to clearly define a class of attack driven by expert human intelligence at every step of the attack chain and culminate in intentional business...
microsoft.com
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers | Rapid7 Blog opens in a new tab
Rapid7 has observed the Fake Browser Update lure utilizing a sophisticated new loader to execute infostealers.
rapid7.com
MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish opens in a new tab
Discover how MintsLoader operates as a stealthy, obfuscated malware loader distributing GhostWeaver, StealC, and BOINC. Read Recorded Future’s in-depth analysis of its evasion tactics, DGA-based C2...
recordedfuture.com
SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders opens in a new tab
SocGholish operators continue to infect websites at a massive scale, and the threat actor is ramping up its infrastructure to match.
sentinelone.com
Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569 opens in a new tab
SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to clients, usually in the form of fake updates.
silentpush.com
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload opens in a new tab
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the Loc...
trendmicro.com
SocGholishs Intrusion Techniques Facilitate Distribution of RansomHub Ransomware opens in a new tab
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and ex...
trendmicro.com