The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content.
"The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations," Silent Push said in an analysis.
SocGholish, also called FakeUpdates, is a JavaScript loader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It's attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.
Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, including Evil Corp (aka DEV-0243), LockBit, Dridex, and Raspberry Robin (aka Roshtyak). Interestingly, recent campaigns have also leveraged Raspberry Robin as a distribution vector for SocGholish.
"SocGholish infections typically originate from compromised websites that have been infected in multiple different ways," Silent Push said. "Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the related injection."
Besides redirecting to SocGholish domains via compromised websites, another primary source of traffic involves using third-party TDSes like Parrot TDS and Keitaro TDS to direct web traffic to specific websites or to landing pages after performing extensive fingerprinting of the site visitor and determining if they are of interest based on certain predefined criteria.
Keitaro TDS has long been involved in threat activity going beyond malvertising and scams to deliver more sophisticated malware, including exploit kits, loaders, ransomware, and Russian influence operations. Last year, Infoblox revealed how SocGholish, a VexTrio partner, used Keitaro to redirect victims to VexTrio's TDSes.
"Because Keitaro also has many legitimate applications, it is frequently difficult or impossible to simply block traffic through the service without generating excessive false positives, although organizations can consider this in their own policies," Proofpoint noted back in 2019.
Keitaro TDS is believed to be connected to TA2726, which has functioned as a traffic provider for both SocGholish and TA2727 by compromising websites and injecting a Keitaro TDS link, and then selling that to its customers.
"The intermediate C2 [command-and-control] framework dynamically generates payloads that victims download at runtime," Silent Push noted.
"It is essential to note that across the execution framework, from the initial SocGholish injection to the on-device execution of the Windows implant, the entire process is continuously tracked by SocGholish's C2 framework. If, at any time, the framework determines that a given victim is not 'legitimate,' it will stop the serving of a payload."
The cybersecurity company has also assessed that there are possibly former members who are involved in Dridex, Raspberry Robin, and SocGholish, given the overlapping nature of the campaigns observed.
The development comes as Zscaler detailed an updated version of Raspberry Robin that features improved obfuscation methods, changes to its network communication process, and embeds pointing to intentionally corrupted TOR C2 domains, signaling continued efforts to avoid detection and hinder reverse engineering efforts.
"The network encryption algorithm has changed from AES (CTR mode) to Chacha-20," the company said. "Raspberry Robin has added a new local privilege escalation (LPE) exploit (CVE-2024-38196) to gain elevated privileges on targeted systems."
The disclosure also follows an evolution of DarkCloud Stealer attacks that employ phishing emails to deliver a ConfuserEx-protected version of the stealer payload written in Visual Basic 6, which is launched and executed using a technique called process hollowing.
"DarkCloud Stealer is typical of an evolution in cyberthreats, leveraging obfuscation techniques and intricate payload structures to evade traditional detection mechanisms," Unit 42 said. "The shift in delivery methods observed in April 2025 indicates an evolving evasion strategy."
Fortinet FortiGuard Labs, which also detailed another DarkCloud campaign, said it identified phishing emails that tricked users recipients into opening an attached RAR file under the pretext of providing an urgent quote.
The RAR archives contain a JavaScript payload that, when launched, decodes PowerShell responsible for dropping a fileless variant of the stealer via an encrypted DLL embedded within a JPEG image hosted on The Internet Archive.
DarkCloud gathers "credentials, payment information stored in web browsers, FTP clients, and email clients," security researcher Xiaopeng Zhang said. "It also collects the email contacts from the victim’s email client software."
