RansomHub cyber threat actors have found a new way to deploy their ransomware, and they’re using it to target U.S. government entities.
According to Trend Micro, the prolific ransomware gang is using SocGholish, a longtime malware-as-a-service operation also known as FakeUpdates, to facilitate its attacks. RansomHub emerged in early 2024 and racked up more than 200 victims since that time, claiming responsibility for notable attacks against Change Healthcare and Rite Aid.
In a blog post on Friday, Trend Micro researchers outlined how the SocGholish framework is delivering RansomHub ransomware in a multistage attack chain that features thousands of compromised websites. “As of the start of 2025, SocGholish detections have been highest in the United States, with government organizations among the most affected,” the researchers wrote, adding that banking and consulting organizations were also heavily targeted.
Since first emerging in 2018, SocGholish’s calling card has been the use of fake browser and software updates to trick users into downloading malicious content. “SocGholish is characterised by its highly obfuscated JavaScript loader, which employs a range of evasion techniques that enable it to bypass traditional signature-based detection methods effectively,” the researchers wrote.
To infect users, SocGholish operators use a network of legitimate websites that previously have been compromised with a malicious script that hijacks web traffic. When users visit these sites, SocGholish redirects them using Keitaro, a commercial traffic distribution system (TDS) based in Estonia that has long been associated with SocGholish and other malicious activity.
Phony browser updates
The threat actors use “rogue” Keitaro instances to send unsuspecting users to fake browser updates containing SocGholish malware and to filter out “unwanted traffic from sandboxes and researchers.” Once users click on the fake updates, the threat actors install the obfuscated JavaScript loader and begin deploying additional payloads.
In RansomHub attacks, the SocGholish threat actors deploy Python-based backdoor components that provide initial access to RansomHub affiliates. The backdoor establishes a hardcoded connection to a command and control (C2) server that threat actors can use to exfiltrate sensitive data from victims’ networks.
Trend Micro researchers said SocGholish also uses the network of compromised websites for C2 purposes as well using a technique called “domain shadowing.” Once threat actors compromise a website, they can establish new subdomains for malicious activity, which won’t be blocked by security products because they’re associated with legitimate websites.
RansomHub attacks aren’t the only threats that SocGholish is facilitating this year. Last month, Proofpoint researchers highlighted new campaigns deploying infostealer malware for Windows, Android and macOS systems that also move hijacked traffic through Keitaro’s TDS.
“The sheer volume of compromised websites leading to SocGholish, coupled with the use of a commercial TDS for sandbox and crawler evasion and the use of Anti-Sandbox routines may pose a challenge for certain automated detection solutions like sandboxes, which may enable SocGholish to run in environments, leading to highly impactful attacks,” the researchers wrote.
Urgent cyber threat
Trend Micro called SocGholish infections “critical events” that must be urgently addressed by security teams. The cybersecurity company urged organizations to deploy extended detection and response (XDR) solutions to identify and remediate SocGholish activity, as well as restricting the execution of legitimate tools like PowerShell.
The research team warned SocGholish actors frequently target vulnerable content management systems and CMS plug-ins to compromise legitimate websites. Previous SocGholish campaigns, for example, have used compromised WordPress sites to hijack traffic and deliver malware.
