RansomHub Leverages SocGholish FakeUpdates to Target Government Sector

Researchers have identified a new RansomHub ransomware campaign that leverages the long-running malware delivery operation SocGholish—also known as FakeUpdates—to target U.S. government entities.  

RansomHub is now being delivered through a multistage attack chain involving thousands of compromised websites, Cybersecurity Dive reports.

SocGholish infects users by injecting malicious JavaScript into legitimate but compromised sites. When visited, these sites redirect traffic using Keitaro, a commercial traffic distribution system.  

This system filters out sandboxes and researchers, directing real users to fake browser update pages. When users click the updates, the obfuscated JavaScript loader is dropped, followed by additional payloads.

In the case of RansomHub, the loader deploys Python-based backdoors that create persistent access to victims' systems. These backdoors connect to command-and-control servers to exfiltrate sensitive data.  

Researchers observed that compromised websites are also used for C2 communication through domain shadowing, where new subdomains are created under trusted domains, making detection harder.

The campaign is heavily focused on WordPress sites and has compromised at least 2,500 domains. Researchers stressed the campaign’s scale and sophistication, highlighting that its reliance on legitimate, trusted websites significantly lowers user skepticism.

Beyond RansomHub, SocGholish is also facilitating delivery of various infostealers for Windows, Android, and macOS. Due to its evasion techniques and widespread infrastructure, researchers consider SocGholish infections critical and urge organizations to adopt advanced detection and response capabilities while hardening CMS defenses.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, RansomHub, a ransomware-as-a-service (RaaS) platform that emerged in early 2024, quickly gained notoriety for its impactful attacks and sophisticated deployment methods.  

One of RansomHub’s key differentiators is its generous affiliate model, offering up to 90% of ransom proceeds—an unusually high cut that has helped it attract experienced operators, including former members of groups like BlackCat/ALPHV.

The group enforces strict rules within its affiliate network, requiring affiliates to honor any agreements made with victims during ransom negotiations. Violating these terms can result in a permanent ban, reinforcing RansomHub’s focus on maintaining a disciplined and structured operation.

RansomHub targets both Windows and Linux systems, including VMware ESXi servers. Its operators exploit known vulnerabilities such as CVE-2023-3519 in Citrix NetScaler ADC and Gateway, CVE-2023-27997 in Fortinet SSL-VPN, and the ZeroLogon bug (CVE-2020-1472) in Microsoft Netlogon.  

They also rely on brute-force attacks against RDP and VPN services. Once inside, they deploy tools like Mimikatz for credential theft, Angry IP Scanner and Nmap for reconnaissance, and use PsExec and RDP for lateral movement. Endpoint defenses are often disabled using EDRKillShifter.

Data is encrypted using Curve25519, ChaCha20, and AES, with backups and volume shadow copies deleted to hinder recovery. RansomHub also engages in double extortion—exfiltrating data and threatening to leak it if the ransom isn't paid.

By Q4 2024, RansomHub had become the most prolific RaaS group, claiming over 600 victims across sectors like healthcare, finance, manufacturing, high tech, and the public sector. Despite a slowdown in early 2025, their ransom demands average around $2.79 million, reflecting a strategy aimed at vulnerable, high-value targets.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.