SocGholish Malware Compromised and Infected Hundreds of News Sites in the US

Proofpoint experts have discovered a massive problem on American news sites — the malware called SocGholish attacks the media.

Let me remind you that, by the way, we wrote that Researchers Found That the Media Industry Is Most Vulnerable to Cyberattacks.

Sherrod DeGripp
Sherrod DeGripp

The attackers use the compromised infrastructure of an unnamed media company to deploy the malicious JavaScript framework SocGholish (also known as FakeUpdates) on media sites, the researchers said.

The media company in question is a firm that provides both video content and advertising to major news outlets. It serves many different companies in different markets in the United States.explains Sherrod DeGripp, Vice President of Research and Threat Detection at Proofpoint.

The publication Bleeping Computer, with which the researchers shared their findings, writes that experts track down the hacker group behind these attacks under the identifier TA569.

Hackers injected malicious code into a harmless JavaScript file that is uploaded to news sites. This file is then used to install SocGholish, which infects visitors to compromised sites with various malware, usually disguised as fake browser updates distributed as ZIP archives (for example,,,, Opera,

SocGholish malware and news sites
Obfuscated Malicious JavaScript

Proofpoint Threat Research has found systematic injections affecting a media company that serves many major news outlets. This media company delivers content to its partners via Javascript.the Proofpoint Threat Insight team tweeted.

According to analysts, in total, malware was installed on the websites of more than 250 US news agencies, some of which are large and well-known organizations (the names of the affected resources were not disclosed). Although the total number of media outlets affected is not known, Proofpoint says that among the victims of this campaign are leading publications from New York, Boston, Chicago, Miami, Washington and so on.

The researchers say that the TA569 group has previously used media to spread SocGholish, and this malware could eventually lead to subsequent infections, including ransomware attacks.

The situation needs to be closely monitored as we have observed that TA569 is re-infecting the same victims just a few days after recovery.the company warns.

Previously, SocGholish was used by the notorious Russian-speaking group Evil Corp, and the malware campaign discovered in 2020 was very similar to the current one. Let me remind you that at that time more than 30 large companies in the United States were infected with malware, which was distributed through fake warnings about the need to update software, sent through dozens of compromised American newspaper websites. Machines infected in this way were later used as an entry point into corporate networks, where the attackers deployed the WastedLocker ransomware.

In addition, it should be said that Microsoft recently discovered the use of SocGholish in the networks of companies infected with the Raspberry Robin worm.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button