RansomHub taps SocGholish: WebDAV and SCF exploits fuel credential heists
SocGholish, a notorious loader malware, has evolved into a critical tool for cybercriminals, often delivering payloads like Cobalt Strike and, more recently, RansomHub ransomware.
Darktrace’s Threat Research team has tracked multiple incidents since January 2025, where threat actors exploited SocGholish to compromise networks through fake browser updates and JavaScript-based attacks on vulnerable CMS platforms like WordPress.
By injecting malicious scripts into HTML or external resources of legitimate websites, attackers redirect unsuspecting users to counterfeit update pages, tricking them into downloading ZIP files containing SocGholish loaders.
Read more at GB Hackers