The Threat CodexNov 25
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
#RomComGroup #SocGholish #TA569
https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine - Arctic Wolf

Arctic Wolf Labs recently identified a U.S.-based company that was targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This is the first time that a RomCom payload has been observed being distributed by SocGholish.

Arctic Wolf
The Threat CodexAug 8, 2025
Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569
#TA569
https://www.silentpush.com/blog/socgholish/
Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569

SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, selling access to clients, usually in the form of fake updates.

Silent Push
Threat InsightFeb 18, 2025

With access to one of the largest, most diverse data sets in all of cybersecurity, Proofpoint is dedicated to tracking and reporting threat actors and their evolving TTPs. This research blog (brnw.ch/21wQMTw) is packed full of new threat insights including...

🔍 #TA2726 and#TA2727, two new cybercriminal threat actors who operate components of web inject campaigns.

🔍 #FrigidStealer, a new info stealer for Mac computers delivered alongside malware for Windows and Android hosts.

See our blog for full details, Emerging Threats signatures, and IOCs.

#FakeUpdates #socialengineering #MacOS #TA569 #SocGholish

The Threat CodexDec 2, 2024
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
#NetSupportRAT #TA569 #BurnsRAT
https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

Attackers are sending malicious scripts that download the Remote Manipulator System (RMS) build, known as BurnsRAT, and NetSupport RAT

Kaspersky
MalasadaTechNov 6, 2024

Observed a few possible upcoming #KeitaroTDS domains via Silent Push. Found in research, not observed in any compromised sites yet. #SocGholish #TA569.

designinteractiveplatform[.]club
ajaxapiendpoint[.]cloud
codingmastermindhub[.]club
apivuecomponent[.]com

Zapa  Aug 24, 2023

#TA569 is picking up their pace with #SocGholish. Lots of car sales-themed domains hosted on 198.199.100[.]215 confirmed true positive.

#infosec
#threathunting
#cti

ThreatCat.chMay 22, 2023

#TA569 #KeitaroTDS TDS domain are now on 91.203.193[.]124, including new domain dailytickyclock[.]org (inject seen in the wild: hXXps://dailytickyclock[.]org/Rz7kFbxJ ) redirecting to #SocGholish TDS commercial.tedgorka[.]com hosted on 88.119.169[.]146 as already noticed by @rmceoin

https://infosec.exchange/@rmceoin/110403826054740697

Randy :donor: (@[email protected])

Attached: 1 image Checking in on a #SocGholish infected site and sure enough, still there. TDS commercial[.]tedgorka[.]com C2 *.accounting[.]bridgemastersllc[.]com Saw a new behaviour. The C2 uses a wildcard domain. If you want to poke at it, www[.]grindline[.]com is still infected. #threatintel

Infosec Exchange
ThreatCat.chMay 8, 2023

Today's new #TA569 #KeitaroTDS TDS domain, still hosted on the same IP as the others, is deeptrickday[.]org - e.g. hXXps://deeptrickday[.]org/fMYD7fFx seen in wild.

2nd stage SocGholish TDS remains trackrecord[.]wheresbecky[.]com but finally we also witness new SocGholish C2 *[.]score[.]symposiumhaiti[.]com on 5.255.119[.]147 :

https://infosec.exchange/@rmceoin/110294016510144792

Randy :donor: (@[email protected])

Attached: 1 image I'm actively poking at a SocGholish compromised site and just watched it switch it's C2 from this. reseller[.]wonderfulworldblog[.]com To this. score[.]symposiumhaiti[.]com The first one was already considered malware by our vendor tools. This new one was not. Added that bad boy to the block list. 🚫​ #SocGholish #ThreatIntel

Infosec Exchange
ThreatCat.chMay 4, 2023

New #TA569 #KeitaroTDS TDS neworderspath[.]org - hXXps://neworderspath[.]org/k4WP6NP9 spotted in the wild.

Will share all these IOCs via Threatfox of @abuse_ch as soon as its login is working again!

Show threadThreatCat.chMay 1, 2023

Summer is coming - or at least the new #TA569 #KeitaroTDS TDS domains hosted on 47.90.178[.]252 keep on giving!

Today's new entry is
- hXXps://lemonicecold[.]org/cd5fkZwv

How many of these injections can be found in the wild? Check yourself on urlscan.io : https://urlscan.io/search/#ip%3A47.90.178.252

Search - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs