RansomHub Ransomware Deploys Malware to Breach Corporate Networks
The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging SocGholish malware, also known as FakeUpdates, was uncovered targeting corporate networks.
This attack, orchestrated by affiliates of RansomHub-a notorious Ransomware-as-a-Service (RaaS) group emerging in 2024-demonstrates a calculated approach to infiltrate high-profile organizations.
SocGholish Malware as Initial Vector
RansomHub markets its illicit services on the Dark Web forum RAMP (Russian Anonymous Market Place), focusing on data exfiltration and extortion.
The infection chain began with a compromised WordPress site, “butterflywonderland[.]com,” which tricked users into downloading a malicious file named “Update.zip.”
This file contained a JScript script, “Update.js,” which initiated communication with a SocGholish Command and Control (C2) server at “exclusive.nobogoods[.]com” to fetch and execute subsequent payloads via the eval() function.
Technical Depth: Multi-Stage Malware Deployment and Evasion Tactics
The SocGholish script executed a series of reconnaissance steps, harvesting critical system information such as domain, username, computer name, and processor architecture, which was URL-encoded and transmitted to the C2 server via HTTP POST requests.
Utilizing Living Off the Land Binaries (LOLBins) like net.exe and systeminfo, the malware gathered network and system details, while PowerShell commands enumerated servers in Active Directory and extracted browser credentials from Microsoft Edge and Google Chrome, including encryption keys for stored sensitive data.
Within roughly 6.5 minutes of initial contact, a Python-based backdoor was retrieved, renamed to “python3.12.zip,” unpacked, and executed via a scheduled task.
This backdoor, identified as “fcrapvim.pyz,” employed advanced obfuscation and evasion techniques, checking for virtual machine environments and debugging processes to avoid detection.
Its decryption process involved multiple stages, including Base85 decoding, AES-256 (GCM), AES-128 (CTR), ChaCha20 encryption, and ZLIB inflation, showcasing a complex layered defense against analysis.
The final stage revealed a connection to a threat actor server at “38.146.28[.]93,” enabling SOCKS proxy functionality for reconnaissance and lateral movement within compromised networks, aligning with findings from Trend Micro’s reports on similar TTPs.
According to eSentire Report, this attack underscores the strategic patience of RansomHub affiliates, who cast a wide net to identify valuable targets post-discovery, bypassing sandbox environments and security researchers.
The deployment of SocGholish as an initial access vector, combined with a Python backdoor for persistent access, highlights a trend of multi-stage payloads designed for stealth and impact.
Organizations must prioritize endpoint detection and response (EDR) solutions to identify anomalous behaviors, such as unexpected scheduled tasks or network traffic to suspicious domains/IPs like those identified in this campaign.
Regular patching of web platforms like WordPress, employee training on phishing and social engineering tactics, and robust credential protection mechanisms are critical to mitigate such threats.
eSentire’s 24/7 Security Operations Centers (SOCs), backed by Elite Threat Hunters and the TRU team, continue to track and respond to such incidents, reinforcing the need for proactive cybersecurity in an era where adversaries operate beyond conventional schedules.