Blog
/
Email
/
June 25, 2024

Following up on our Conversation: Detecting & Containing a LinkedIn Phishing Attack with Darktrace

Darktrace/Email detected a phishing attack that had originated from LinkedIn, where the attacker impersonated a well known construction company to conduct a credential harvesting attack on the target. Darktrace’s ActiveAI Security Platform played a critical role in investigating the activity and initiating real-time responses that were outside the physical capability of human security teams.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nicole Wong
Cyber Security Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
25
Jun 2024

Note: Real organization, domain and user names have been modified and replaced with fictitious names to maintain anonymity.  

Social media cyber-attacks

Social media is a known breeding ground for cyber criminals to easily connect with a near limitless number of people and leverage the wealth of personal information shared on these platforms to defraud the general public.  Analysis suggests even the most tech savvy ‘digital natives’ are vulnerable to impersonation scams over social media, as criminals weaponize brands and trends, using the promise of greater returns to induce sensitive information sharing or fraudulent payments [1].

LinkedIn phishing

As the usage of a particular social media platform increases, cyber criminals will find ways to exploit the increasing user base, and this trend has been observed with the rise in LinkedIn scams in recent years [2].  LinkedIn is the dominant professional networking site, with a forecasted 84.1million users by 2027 [3].  This platform is data-driven, so users are encouraged to share information publicly, including personal life updates, to boost visibility and increase job prospects [4] [5].  While this helps legitimate recruiters to gain a good understanding of the user, an attacker could also leverage the same personal content to increase the sophistication and success of their social engineering attempts.  

Darktrace detection of LinkedIn phishing

Darktrace detected a Software-as-a-Service (SaaS) compromise affecting a construction company, where the attack vector originated from LinkedIn (outside the monitoring of corporate security tools), but then pivoted to corporate email where a credential harvesting payload was delivered, providing the attacker with credentials to access a corporate file storage platform.  

Because LinkedIn accounts are typically linked to an individual’s personal email and are most commonly accessed via the mobile application [6] on personal devices that are not monitored by security teams, it can represent an effective initial access point for attackers looking to establish an initial relationship with their target. Moreover, user behaviors to ignore unsolicited emails from new or unknown contacts are less frequently carried over to platforms like LinkedIn, where interactions with ‘weak ties’ as opposed to ‘strong ties’ are a better predictor of job mobility [7]. Had this attack been allowed to continue, the threat actor could have leveraged access to further information from the compromised business cloud account to compromise other high value accounts, exfiltrate sensitive data, or defraud the organization.

LinkedIn phishing attack details

Reconnaissance

The initial reconnaissance and social engineering occurred on LinkedIn and was thus outside the purview of corporate security tools, Darktrace included.

However, the email domain “hausconstruction[.]com” used by the attacker in subsequent communications appears to be a spoofed domain impersonating a legitimate construction company “haus[.]com”, suggesting the attacker may have also impersonated an employee of this construction company on LinkedIn.  In addition to spoofing the domain, the attacker seemingly went further to register “hausconstruction.com” on a commercial web hosting platform.  This is a technique used frequently not just to increase apparent legitimacy, but also to bypass traditional security tools since newly registered domains will have no prior threat intelligence, making them more likely to evade signature and rules-based detections [8].  In this instance, open-source intelligence (OSINT) sources report that the domain was created several months earlier, suggesting this may have been part of a targeted attack on construction companies.  

Initial Intrusion

It was likely that during the correspondence over LinkedIn, the target user was solicited into following up over email regarding a prospective construction project, using their corporate email account.  In a probable attempt to establish a precedent of bi-directional correspondence so that subsequent malicious emails would not be flagged by traditional security tools, the attacker did not initially include suspicious links, attachments or use solicitous or inducive language within their initial emails.

Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Figure 1: Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.
Figure 2: Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.  

To accomplish the next stage of their attack, the attacker shared a link, hidden behind the inducing text “VIEW ALL FILES”, to a malicious file using the Hightail cloud storage service. This is also a common method employed by attackers to evade detection, as this method of file sharing does not involve attachments that can be scanned by traditional security tools, and legitimate cloud storage services are less likely to be blocked.

OSINT analysis on the malicious link link shows the file hosted on Hightail was a HTML file with the associated message “Following up on our LinkedIn conversation”.  Further analysis suggests the file contained obfuscated Javascript that, once opened, would automatically redirect the user to a malicious domain impersonating a legitimate Microsoft login page for credential harvesting purposes.  

The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Figure 3: The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Screenshot of fraudulent Microsoft Sign In page hosted on the malicous credential harvesting domain.
Figure 4: Screenshot of fraudulent Microsoft Sign In page hosted on the malicious credential harvesting domain.

Although there was prior email correspondence with the attacker, this email was not automatically deemed safe by Darktrace and was further analyzed for unusual properties and unusual communications for the recipient and the recipient’s peer group.  

Darktrace determined that:

  • It was unusual for this file storage solution to be referenced in communications to the user and the wider network
  • Textual properties of the email body suggested a high level of inducement from the sender, with a high level of focus on the phishing link.
  • The full link contained suspicious properties suggesting it is high risk.
Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.
Figure 5: Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.  

Based on these anomalies, Darktrace initially moved the phishing email to the junk folder and locked the link, preventing the user from directly accessing the malicious file hosted on Hightail.  However, the customer’s security team released the email, likely upon end-user request, allowing the target user to access the file and ultimately enter their credentials into that credential harvesting domain.

Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.
Figure 6: Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.

Lateral Movement

Correspondence between the attacker and target continued for two days after the credential harvesting payload was delivered.  Five days later, Darktrace detected an unusual login using multi-factor authentication (MFA) from a rare external IP and ASN that coincided with Darktrace/Email logs showing access to the credential harvesting link.

This attempt to bypass MFA, known as an Office365 Shell WCSS attack, was likely achieved by inducing the target to enter their credentials and legitimate MFA token into the fake Microsoft login page. This was then relayed to Microsoft by the attacker and used to obtain a legitimate session. The attacker then reused the legitimate token to log into Exchange Online from a different IP and registered their own device for MFA.

Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Figure 7: Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked.  Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge.
Figure 8: Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked.  Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge. Highlighted in orange and red is the malicious activity using Chrome.

The IP addresses used by the attacker appear to be part of anonymization infrastructure, but are not associated with any known indicators of compromise (IoCs) that signature-based detections would identify [9] [10].

In addition to  logins being observed within half an hour of each other from multiple geographically impossible locations (San Francisco and Phoenix), the unexpected usage of Chrome browser, compared to Edge browser previously used, provided Darktrace with further evidence that this activity was unlikely to originate from the legitimate user.  Although the user was a salesperson who frequently travelled for their role, Darktrace’s Self-Learning AI understood that the multiple logins from these locations was highly unusual at the user and group level, and coupled with the subsequent unexpected account modification, was a likely indicator of account compromise.  

Accomplish mission

Although the email had been manually released by the security team, allowing the attack to propagate, additional layers of defense were triggered as Darktrace's Autonomous Response initiated “Disable User” actions upon detection of the multiple unusual logins and the unauthorized registration of security information.  

However, the customer had configured Autonomous Response to require human confirmation, therefore no actions were taken until the security team manually approved them over two hours later. In that time, access to mail items and other SharePoint files from the unusual IP address was detected, suggesting a potential loss of confidentiality to business data.

Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome.  Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.
Figure 9: Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome.  Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.

However, it appears that the attacker was able to maintain access to the compromised account, as login and mail access events from 199.231.85[.]153 continued to be observed until the afternoon of the next day.  

Conclusion

This incident demonstrates the necessity of AI to security teams, with Darktrace’s ActiveAI Security Platform detecting a sophisticated phishing attack where human judgement fell short and initiated a real-time response when security teams could not physically respond as fast.  

Security teams are very familiar with social engineering and impersonation attempts, but these attacks remain highly prevalent due to the widespread adoption of technologies that enable these techniques to be deployed with great sophistication and ease.  In particular, the popularity of information-rich platforms like LinkedIn that are geared towards connecting with unknown people make it an attractive initial access point for malicious attackers.

In the second half of 2023 alone, over 200 thousand fake profiles were reported by members on LinkedIn [11].  Fake profiles can be highly sophisticated, use professional images, contain compelling descriptions, reference legitimate company listings and present believable credentials.  

It is unrealistic to expect end users to defend themselves against such sophisticated impersonation attempts. Moreover, it is extremely difficult for human defenders to recognize every fraudulent interaction amidst a sea of fake profiles. Instead, defenders should leverage AI, which can conduct autonomous investigations without human biases and limitations. AI-driven security can ensure successful detection of fraudulent or malicious activity by learning what real users and devices look like and identifying deviations from their learned behaviors that may indicate an emerging threat.

Appendices

Darktrace Model Detections

DETECT/ Apps

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and Account Update

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compliance / M365 Security Information Modified

RESPOND/ Apps

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Unusual Activity Block

DETECT & RESPOND/ Email

·      Link / High Risk Link + Low Sender Association

·      Link / New Correspondent Classified Link

·      Link / Watched Link Type

·      Antigena Anomaly

·      Association / Unknown Sender

·      History / New Sender

·      Link / Link to File Storage

·      Link / Link to File Storage + Unknown Sender

·      Link / Low Link Association

List of IoCs

·      142.252.106[.]251 - IP            - Possible malicious IP used by attacker during cloud account compromise

·      199.231.85[.]153 – IP - Probable malicious IP used by attacker during cloud account compromise

·      vukoqo.hebakyon[.]com – Endpoint - Credential harvesting endpoint

MITRE ATT&CK Mapping

·      Resource Development - T1586 - Compromise Accounts

·      Resource Development - T1598.003 – Spearphishing Link

·      Persistence - T1078.004 - Cloud Accounts

·      Persistence - T1556.006 - Modify Authentication Process: Multi-Factor Authentication

·      Reconnaissance - T1593.001 – Social Media

·      Reconnaissance - T1598 – Phishing for Information

·      Reconnaissance - T1589.001 – Credentials

·      Reconnaissance - T1591.002 – Business Relationships

·      Collection - T1111 – Multifactor Authentication Interception

·      Collection - T1539 – Steal Web Session Cookie

·      Lateral Movement - T1021.007 – Cloud Services

·      Lateral Movement - T1213.002 - Sharepoint

References

[1] Jessica Barker, Hacked: The secrets behind cyber attacks, (London: Kogan Page, 2024), p. 130-146.

[2] https://www.bitdefender.co.uk/blog/hotforsecurity/5-linkedin-scams-and-how-to-avoid-them/

[3] https://www.washingtonpost.com/technology/2023/08/31/linkedin-personal-posts/

[4] https://www.forbes.com/sites/joshbersin/2012/05/21/facebook-vs-linkedin-whats-the-difference/

[5] https://thelinkedblog.com/2022/3-reasons-why-you-should-make-your-profile-public-1248/

[6] https://www.linkedin.com/pulse/50-linkedin-statistics-every-professional-should-ti9ue

[7] https://www.nytimes.com/2022/09/24/business/linkedin-social-experiments.html

[8] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

[9] https://spur.us/context/142.252.106[.]251

[10] https://spur.us/context/199.231.85[.]153

[11]https://www.statista.com/statistics/1328849/linkedin-number-of-fake-accounts-detected-and-removed

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nicole Wong
Cyber Security Analyst

More in this series

No items found.

Blog

/

/

May 2, 2025

SocGholish: From loader and C2 activity to RansomHub deployment

laptop and hand typingDefault blog imageDefault blog image

Over the past year, a clear pattern has emerged across the threat landscape: ransomware operations are increasingly relying on compartmentalized affiliate models. In these models, initial access brokers (IABs) [6], malware loaders, and post-exploitation operators work together.

Due to those specialization roles, a new generation of loader campaigns has risen. Threat actors increasingly employ loader operators to quietly establish footholds on the target network. These entities then hand off access to ransomware affiliates. One loader that continues to feature prominently in such campaigns is SocGholish.

What is SocGholish?

SocGholish is a loader malware that has been utilized since at least 2017 [7].  It has long been associated with fake browser updates and JavaScript-based delivery methods on infected websites.

Threat actors often target outdated or poorly secured CMS-based websites like WordPress. Through unpatched plugins, or even remote code execution flaws, they inject malicious JavaScript into the site’s HTML, templates or external JS resources [8].  Historically, SocGholish has functioned as a first-stage malware loader, ultimately leading to deployment of Cobalt Strike beacons [9], and further facilitating access persistence to corporate environments. More recently, multiple security vendors have reported that infections involving SocGholish frequently lead to the deployment of RansomHub ransomware [3] [5].

This blog explores multiple instances within Darktrace's customer base where SocGholish deployment led to subsequent network compromises. Investigations revealed indicators of compromise (IoCs) similar to those identified by external security researchers, along with variations in attacker behavior post-deployment. Key innovations in post-compromise activities include credential access tactics targeting authentication mechanisms, particularly through the abuse of legacy protocols like WebDAV and SCF file interactions over SMB.

Initial access and execution

Since January 2025, Darktrace’s Threat Research team observed multiple cases in which threat actors leveraged the SocGholish loader for initial access. Malicious actors commonly deliver SocGholish by compromising legitimate websites by injecting malicious scripts into the HTML of the affected site. When the visitor lands on an infected site, they are typically redirected to a fake browser update page, tricking them into downloading a ZIP file containing a JavaScript-based loader [1] [2]. In one case, a targeted user appears to have visited the compromised website garagebevents[.]com (IP: 35.203.175[.]30), from which around 10 MB of data was downloaded.

Device Event Log showing connections to the compromised website, following by connections to the identified Keitaro TDS instances.
Figure 1: Device Event Log showing connections to the compromised website, following by connections to the identified Keitaro TDS instances.

Within milliseconds of the connection establishment, the user’s device initiated several HTTPS sessions over the destination port 443 to the external endpoint 176.53.147[.]97, linked to the following Keitaro TDS domains:

  • packedbrick[.]com
  • rednosehorse[.]com
  • blackshelter[.]org
  • blacksaltys[.]com

To evade detection, SocGholish uses highly obfuscated code and relies on traffic distribution systems (TDS) [3].  TDS is a tool used in digital and affiliate marketing to manage and distribute incoming web traffic based on predefined rules. More specifically, Keitaro is a premium self-hosted TDS frequently utilized by attackers as a payload repository for malicious scripts following redirects from compromised sites. In the previously noted example, it appears that the device connected to the compromised website, which then retrieved JavaScript code from the aforementioned Keitaro TDS domains. The script served by those instances led to connections to the endpoint virtual.urban-orthodontics[.]com (IP: 185.76.79[.]50), successfully completing SocGholish’s distribution.

Advanced Search showing connections to the compromised website, following by those to the identified Keitaro TDS instances.
Figure 2: Advanced Search showing connections to the compromised website, following by those to the identified Keitaro TDS instances.

Persistence

During some investigations, Darktrace researchers observed compromised devices initiating HTTPS connections to the endpoint files.pythonhosted[.]org (IP: 151.101.1[.]223), suggesting Python package downloads. External researchers have previously noted how attackers use Python-based backdoors to maintain access on compromised endpoints following initial access via SocGholish [5].

Credential access and lateral movement

Credential access – external

Darktrace researchers identified observed some variation in kill chain activities following initial access and foothold establishment. For example, Darktrace detected interesting variations in credential access techniques. In one such case, an affected device attempted to contact the rare external endpoint 161.35.56[.]33 using the Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. WebDAV enables remote shares to be mounted over HTTP or HTTPS, similar to how SMB operates, but using web-based protocols. Windows supports WebDAV natively, which means a UNC path pointing to an HTTP or HTTPS resource can trigger system-level behavior such as authentication.

In this specific case, the system initiated outbound connections using the ‘Microsoft-WebDAV-MiniRedir/10.0.19045’ user-agent, targeting the URI path of /s on the external endpoint 161.35.56[.]33. During these requests, the host attempted to initiate NTML authentication and even SMB sessions over the web, both of which failed. Despite the session failures, these attempts also indicate a form of forced authentication. Forced authentication exploits a default behavior in Windows where, upon encountering a UNC path, the system will automatically try to authenticate to the resource using NTML – often without any user interaction. Although no files were directly retrieved, the WebDAV server was still likely able to retrieve the user’s NTLM hash during the session establishment requests, which can later be used by the adversary to crack the password offline.

Credential access – internal

In another investigated incident, Darktrace observed a related technique utilized for credential access and lateral movement. This time, the infected host uploaded a file named ‘Thumbs.scf’ to multiple internal SMB network shares. Shell Command File ( SCF) is a legacy Windows file format used primarily for Windows Explorer shortcuts. These files contain instructions for rendering icons or triggering shell commands, and they can be executed implicitly when a user simply opens a folder containing the file – no clicks required.

The ‘Thumbs.scf’ file dropped by the attacker was crafted to exploit this behavior. Its contents included a [Shell] section with the Command=2 directive and an IconFile path pointing to a remote UNC resource on the same external endpoint, 161.35.56[.]33, seen in the previously described case – specifically, ‘\\161.35.56[.]33\share\icon.ico’. When a user on the internal network navigates to the folder containing the SCF file, their system will automatically attempt to load the icon. In doing so, the system issues a request to the specified UNC path, which again prompts Windows to initiate NTML authentication.

This pattern of activity implies that the attacker leveraged passive internal exposure; users who simply browsed a compromised share would unknowingly send their NTML hashes to an external attacker-controlled host. Unlike the WebDAV approach, which required initiating outbound communication from the infected host, this SCF method relies on internal users to interact with poisoned folders.

Figure 3: Contents of the file 'Thumbs.scf' showing the UNC resource hosted on the external endpoint.
Figure 3: Contents of the file 'Thumbs.scf' showing the UNC resource hosted on the external endpoint.

Command-and-control

Following initial compromise, affected devices would then attempt outbound connections using the TLS/SSL protocol over port 443 to different sets of command-and-control (C2) infrastructure associated with SocGholish. The malware frequently uses obfuscated JavaScript loaders to initiate its infection chain, and once dropped, the malware communicates back to its infrastructure over standard web protocols, typically using HTTPS over port 443. However, this set of connections would precede a second set of outbound connections, this time to infrastructure linked to RansomHub affiliates, possibly facilitating the deployed Python-based backdoor.

Connectivity to RansomHub infrastructure relied on defense evasion tactics, such as port-hopping. The idea behind port-hopping is to disguise C2 traffic by avoiding consistent patterns that might be caught by firewalls, and intrusion detection systems. By cycling through ephemeral ports, the malware increases its chances of slipping past basic egress filtering or network monitoring rules that only scrutinize common web traffic ports like 443 or 80. Darktrace analysts identified systems connecting to destination ports such as 2308, 2311, 2313 and more – all on the same destination IP address associated with the RansomHub C2 environment.

Figure 4: Advanced Search connection logs showing connections over destination ports that change rapidly.

Conclusion

Since the beginning of 2025, Darktrace analysts identified a campaign whereby ransomware affiliates leveraged SocGholish to establish network access in victim environments. This activity enabled multiple sets of different post exploitation activity. Credential access played a key role, with affiliates abusing WebDAV and NTML over SMB to trigger authentication attempts. The attackers were also able to plant SCF files internally to expose NTML hashes from users browsing shared folders. These techniques evidently point to deliberate efforts at early lateral movement and foothold expansion before deploying ransomware. As ransomware groups continue to refine their playbooks and work more closely with sophisticated loaders, it becomes critical to track not just who is involved, but how access is being established, expanded, and weaponized.

Credit to Chrisina Kreza (Cyber Analyst) and Adam Potter (Senior Cyber Analyst)

Appendices

Darktrace / NETWORK model alerts

·       Anomalous Connection / SMB Enumeration

·       Anomalous Connection / Multiple Connections to New External TCP Port

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Connection / New User Agent to IP Without Hostname

·       Compliance / External Windows Communication

·       Compliance / SMB Drive Write

·       Compromise / Large DNS Volume for Suspicious Domain

·       Compromise / Large Number of Suspicious Failed Connections

·       Device / Anonymous NTML Logins

·       Device / External Network Scan

·       Device / New or Uncommon SMB Named Pipe

·       Device / SMB Lateral Movement

·       Device / Suspicious SMB Activity

·       Unusual Activity / Unusual External Activity

·       User / Kerberos Username Brute Force

MITRE ATT&CK mapping

·       Credential Access – T1187 Forced Authentication

·       Credential Access – T1110 Brute Force

·       Command and Control – T1071.001 Web Protocols

·       Command and Control – T1571 Non-Standard Port

·       Discovery – T1083 File and Directory Discovery

·       Discovery – T1018 Remote System Discovery

·       Discovery – T1046 Network Service Discovery

·       Discovery – T1135 Network Share Discovery

·       Execution – T1059.007 JavaScript

·       Lateral Movement – T1021.002 SMB/Windows Admin Shares

·       Resource Deployment – T1608.004 Drive-By Target

List of indicators of compromise (IoCs)

·       garagebevents[.]com – 35.203.175[.]30 – Possibly compromised website

·       packedbrick[.]com – 176.53.147[.]97 – Keitaro TDS Domains used for SocGholish Delivery

·       rednosehorse[.]com – 176.53.147[.]97 – Keitaro TDS Domains used for SocGholish Delivery

·       blackshelter[.]org – 176.53.147[.]97 – Keitaro TDS Domains used for SocGholish Delivery

·       blacksaltys[.]com – 176.53.147[.]97 – Keitaro TDS Domains used for SocGholish Delivery

·       virtual.urban-orthodontics[.]com – 185.76.79[.]50

·       msbdz.crm.bestintownpro[.]com – 166.88.182[.]126 – SocGholish C2

·       185.174.101[.]240 – RansomHub Python C2

·       185.174.101[.]69 – RansomHub Python C2

·       108.181.182[.]143 – RansomHub Python C2

References

[1] https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/socgholish-malware/

[2] https://intel471.com/blog/threat-hunting-case-study-socgholish

[3] https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html

[4] https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware

[5] https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/

[6] https://www.cybereason.com/blog/how-do-initial-access-brokers-enable-ransomware-attacks

[7] https://attack.mitre.org/software/S1124/

[8] https://expel.com/blog/incident-report-spotting-socgholish-wordpress-injection/

[9] https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes

Continue reading
About the author
Christina Kreza
Cyber Analyst

Blog

/

/

May 1, 2025

Your Vendors, Your Risk: Rethinking Third-Party Security in the Age of Supply Chain Attacks

man on cellphoneDefault blog imageDefault blog image

When most people hear the term supply chain attack, they often imagine a simple scenario: one organization is compromised, and that compromise is used as a springboard to attack another. This kind of lateral movement is common, and often the entry vector is as mundane and as dangerous as email.

Take, for instance, a situation where a trusted third-party vendor is breached. An attacker who gains access to their systems can then send malicious emails to your organization, emails that appear to come from a known and reputable source. Because the relationship is trusted, traditional phishing defenses may not be triggered, and recipients may be more inclined to engage with malicious content. From there, the attacker can establish a foothold, move laterally, escalate privileges, and launch a broader campaign.

This is one dimension of a supply chain cyber-attack, and it’s well understood in many security circles. But the risk doesn’t end there. In fact, it goes deeper, and it often hits the most important asset of all: your customers' data.

The risk beyond the inbox

What happens when customer data is shared with a third party for legitimate processing purposes for example billing, analytics, or customer service and that third party is then compromised?

In that case, your customer data is breached, even if your own systems were never touched. That’s the uncomfortable truth about modern cybersecurity: your risk is no longer confined to your own infrastructure. Every entity you share data with becomes an extension of your attack surface. Thus, we should rethink how we perceive responsibility.

It’s tempting to think that securing our environment is our job, and securing their environment is theirs. But if a breach of their environment results in the exposure of our customers, the accountability and reputational damage fall squarely on our shoulders.

The illusion of boundaries

In an era where digital operations are inherently interconnected, the lines of responsibility can blur quickly. Legally and ethically, organizations are still responsible for the data they collect even if that data is processed, stored, or analyzed by a third party. A customer whose data is leaked because of a vendor breach will almost certainly hold the original brand responsible, not the third-party processor they never heard of.

This is particularly important for industries that rely on extensive outsourcing and platform integrations (SaaS platforms, marketing tools, CRMs, analytics platforms, payment processors). The list of third-party vendors with access to customer data grows year over year. Each integration adds convenience, but also risk.

Encryption isn’t a silver bullet

One of the most common safeguards used in these data flows is encryption. Encrypting customer data in transit is a smart and necessary step, but it’s far from enough. Once data reaches the destination system, it typically needs to be decrypted for use. And the moment it is decrypted, it becomes vulnerable to a variety of attacks like ransomware, data exfiltration, privilege escalation, and more.

In other words, the question isn’t just is the data secure in transit? The more important question is how is it protected once it arrives?

A checklist for organizations evaluating third-parties

Given these risks, what should responsible organizations do when they need to share customer data with third parties?

Start by treating third-party security as an extension of your own security program. Here are some foundational controls that can make a difference:

Due diligence before engagement: Evaluate third-party vendors based on their security posture before signing any contracts. What certifications do they hold? What frameworks do they follow? What is their incident response capability?

Contractual security clauses: Build in specific security requirements into vendor contracts. These can include requirements for encryption standards, access control policies, and data handling protocols.

Third-party security assessments: Require vendors to provide evidence of their security controls. Independent audits, penetration test results, and SOC 2 reports can all provide useful insights.

Ongoing monitoring and attestations: Security isn’t static. Make sure vendors provide regular security attestations and reports. Where possible, schedule periodic reviews or audits, especially for vendors handling sensitive data.

Minimization and segmentation: Don’t send more data than necessary. Data minimization limits the exposure in the event of a breach. Segmentation, both within your environment and within vendor access levels, can further reduce risk.

Incident response planning: Ensure you have a playbook for handling third-party incidents, and that vendors do as well. Coordination in the event of a breach should be clear and rapid.

The human factor: Customers and communication

There’s another angle to supply chain cyber-attacks that’s easy to overlook: the post-breach exploitation of public knowledge. When a breach involving customer data hits the news, it doesn’t take long for cybercriminals to jump on the opportunity.

Attackers can craft phishing emails that appear to be follow-ups from the affected organization: “Click here to reset your password,” “Confirm your details due to the breach,” etc.

A breach doesn’t just put customer data at risk it also opens the door to further fraud, identity theft, and financial loss through social engineering. This is why post-breach communication and phishing mitigation strategies are valuable components of an incident response strategy.

Securing what matters most

Ultimately, protecting against supply chain cyber-attacks isn’t just about safeguarding your own perimeter. It’s about defending the integrity of your customers’ data, wherever it goes. When customer data is entrusted to you, the duty of care doesn’t end at your firewall.

Relying on vendors to “do their part” is not enough. True due diligence means verifying, validating, and continuously monitoring those extended attack surfaces. It means designing controls that assume failure is possible, and planning accordingly.

In today’s threat landscape, cybersecurity is no longer just a technical discipline. It’s a trust-building exercise. Your customers expect you to protect their information, and rightly so. And when a supply chain attack happens, whether the breach originated with you or your partner, the damage lands in the same place: your brand, your customers, your responsibility.

[related-resource]

Continue reading
About the author
Tony Jarvis
VP, Field CISO | Darktrace
Your data. Our AI.
Elevate your network security with Darktrace AI