A rising wave of cyberattacks is targeting U.S. government agencies, banking institutions, and consulting firms, as the notorious RansomHub ransomware group teams up with the FakeUpdates (SocGholish) malware-as-a-service (MaaS) network to deliver devastating ransomware payloads.
The coordinated campaign, tracked as “Water Scylla” by Trend Micro researchers, showcases a complex, multi-stage attack chain involving multiple cybercriminal groups — with SocGholish playing a pivotal role as the initial access broker.
According to Trend Micro’s report, the attack begins with legitimate websites compromised by SocGholish’s malicious scripts. These scripts, concealed within obfuscated JavaScript loaders, redirect unsuspecting visitors to fake browser update prompts — the hallmark of the FakeUpdates campaign.
Once victims download the seemingly harmless “update,” the malware executes in the background, exfiltrating sensitive data, executing commands, and paving the way for further exploitation.
In this latest wave of attacks, the final payload is the RansomHub ransomware binary, marking a dangerous collaboration that significantly raises the stakes for organizations targeted.
“SocGholish acts as a key enabler in these campaigns, offering persistent access for RansomHub’s ransomware deployment,” Trend Micro researchers explained.
RansomHub’s Rising Influence and Alliances with Other Threat Actors
While RansomHub has only been active since February 2024, it has quickly climbed the ranks, now considered one of the most dangerous ransomware players globally. In terms of impact, the group trails just behind Akira and CL0P, two of the most notorious ransomware gangs.
A critical factor in RansomHub’s rise is its aggressive strategy of collaborating with other cybercriminal groups. The campaign, Water Scylla, involves rogue Keitaro Traffic Distribution System (TDS) operators, enabling attackers to funnel victims directly into SocGholish’s infection chain.
Additionally, RansomHub has reportedly absorbed members from other high-profile groups, including the infamous Scattered Spider gang, known for breaching MGM Resorts and Caesars Entertainment.
What makes SocGholish especially dangerous is its advanced evasion techniques. The group currently operates 18 active command-and-control (C2) servers, rotating domains weekly to avoid detection.
A preferred tactic is domain shadowing, where attackers create new subdomains under compromised but reputable websites. This allows them to leverage trusted domains, making it harder for security systems to detect or block malicious activity.
“Domain shadowing gives threat actors cover, making detection incredibly challenging,” Trend Micro noted.
This stealthy infrastructure ensures that SocGholish can continue delivering malware payloads, conducting data exfiltration, and maintaining persistent access for further attacks — all while flying under the radar.
Urgent Security Measures Needed as Ransomware Cyberattacks Threat Grows
The expanding collaboration between RansomHub and SocGholish is a wake-up call for security teams worldwide. U.S. government entities remain the primary targets, but industries in Japan and Taiwan have also been impacted.
“Organizations must treat SocGholish infections as critical events and respond swiftly to minimize the risk of backdoors, data breaches, and ransomware-driven destruction,” Trend Micro warned.
To combat this growing threat, Trend Micro recommends several security best practices:
- Deploy Extended Detection and Response (XDR) solutions for broad visibility and rapid response.
- Harden endpoints by blocking suspicious executions of Windows Scripting Host (wscript.exe) and PowerShell.
- Use Network Detection and Response (NDR) and Intrusion Prevention Systems (IPS) to monitor and analyze traffic for malicious activities.
- Implement Web Reputation Services (WRS) across endpoints and proxies to detect anomalous traffic.
- Isolate or phase out end-of-life operating systems, which are often targeted for lateral movement and data breaches.
With ransomware attacks growing in complexity and scale, organizations must stay vigilant, adopting a proactive security posture to protect sensitive data and critical infrastructure.
