SOCGholish: A Swift, Team-Driven Battle Against a Deceptive Cyber Threat
On March 1, 2025, a high-priority security incident was promptly addressed by the Security Operations Center (SOC) team after detecting a suspicious connection to a website affiliated with the SocGholish campaign. This event highlighted the persistence of cybercriminals and underscored the critical importance of maintaining a robust security infrastructure, including continuous 24/7 monitoring.
What Happened?
A user inadvertently visited a website masquerading as a legitimate Google Chrome update, triggering a malicious JavaScript script that performed system checks and leveraged WMI calls for reconnaissance. Once confirmed to be on a Windows device, the user was prompted to download a fake browser update, which attempted to establish communication with a known Evil Corp (Indrik Spider) Command & Control server. Prompt containment measures included isolating the affected workstation, blocking suspicious domains and file hashes, and reinforcing endpoint controls. This incident underscores the importance of ongoing user awareness training, robust endpoint detection, careful file download policies, and a multi-layered security strategy to prevent similar threats.
How Was It Addressed?
Incident Response and Containment
The SOC promptly detected malicious software tied to SocGholish, triggering an immediate and comprehensive containment effort aimed at preventing lateral movement. The Incident Response (IR) team swiftly classified and blocked known malicious IP addresses, domains, and file hashes at the firewall level, while blacklisting additional indicators of compromise (IOCs) to guard against future intrusion. Upon discovering that device was compromised, the team isolated it from the corporate network to mitigate any further spread.These swift and strategic actions successfully contained the attack within a few hours and helped maintain impressively low response metrics such as Mean Time to Detect (MTTD), Mean Time to Acknowledge (MTTA), and Mean Time to Respond (MTTR) thanks to continuous monitoring and rapid collaboration with on-call responders. A subsequent network-wide correlation of traffic from the infected device revealed no signs of additional suspicious behavior or repeated attempts at lateral movement. No matching file hashes or communication with the previously identified Command & Control domain were detected across other systems. any broader impact.
Lessons Learned and Improvements
To enhance future defences, several measures were implemented post-incident: ◾ Traffic Monitoring Dashboard: A new, dedicated dashboard was developed to give the SOC team better visibility into network traffic and detect anomalies in real-time. ◾ Enhanced Detection Rules: Additional detection mechanisms were designed and deployed to identify brute-force attempts more efficiently. ◾ Proactive Defences Strategies: Lessons learned from this incident will be used to strengthen policies, improve incident playbooks, and refine SOC protocols.
Conclusion
The recent occurrence underscores the crucial importance of collaboration, and continuous advancements in information security. Thanks to a prompt reaction and cohesive effort from the Security Operations Center and Incident Response personnel, the impact was minimized, and further consequences were averted. By integrating these newly introduced protective strategies, we are now better fortified against similar challenges going forward.
The SOCcare project is co-funded by the European Union, alongside our collaborators University POLITEHNICA of Bucharest and NRD Cyber Security, and supported by the European Cybersecurity Competence Centre (ECCC) under Grant Agreement No. 101145843.
IOC List
| Domains | Hashes | IPs |
| rednosehorse[.]com | e1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214 | 46[.]173[.]214[.]32 |
| virtual.urban-orthodontics[.]com | 274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973 | |
| apiexplorerzone[.]com | ca172f8d36326fc0b6adef9ea98784fd216c319754c5fc47aa91fce336c7d79a | |
| fbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b | ||
| d34c95c0563c8a944a03ee1448f0084dfb94661c24e51c131541922ebd1a2c75 |