SocGholish malware is distributed through advertising tools and provides access to various groups such as LockBit and Evil Corp.

The threat actors behind the SocGholish malware have been observed utilising Traffic Distribution Systems (TDSs) such as Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to dubious content. The core of their operation revolves around a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organisations. SocGholish, also known as FakeUpdates, is a JavaScript loader malware that is distributed via compromised websites, masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. This malware is attributed to a threat actor known as TA569, which is also tracked under various aliases including Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.

Attack chains involving SocGholish typically establish initial access and broker that compromised system access to a diverse clientele, including Evil Corp (also known as DEV-0243), LockBit, Dridex, and Raspberry Robin (also referred to as Roshtyak). Infections usually originate from compromised websites that have been infected through various methods, including direct injections of the SocGholish payload. Besides redirecting users to SocGholish domains via compromised websites, another primary source of traffic involves third-party TDSs like Parrot TDS and Keitaro TDS, which direct web traffic to specific websites after performing extensive fingerprinting of site visitors. Keitaro TDS has been involved in delivering sophisticated malware beyond malvertising and scams, including exploit kits and ransomware. It is often challenging to block traffic through Keitaro without generating excessive false positives, as it has many legitimate applications.