TDS services tapped by SocGholish malware operators

Intrusions involving the SocGholish malware, also known as FakeUpdates, have been facilitated by the TA569 threat operation, also known as Mustard Tempest, Gold Prelude, Purple Vallhund, and UNC1543, through traffic distribution systems Parrot TDS and Keitaro TDS, according to The Hacker News.

Aside from leveraging breached websites, both Parrot TDS and Keitaro TDS have also been used by TA569 to direct traffic to malicious websites that inject the SocGholish payload, findings from a Silent Push report showed. "It is essential to note that across the execution framework, from the initial SocGholish injection to the on-device execution of the Windows implant, the entire process is continuously tracked by SocGholish's C2 framework. If, at any time, the framework determines that a given victim is not 'legitimate,' it will stop the serving of a payload," said researchers, who also suspected that TA569 has members previously part of the Dridex and Raspberry Robin operations. Such findings follow separate reports from Zscaler and Palo Alto Networks Unit 42 researchers detailing a more advanced iteration of Raspberry Robin and increasingly sophisticated DarkCloud Stealer attacks, respectively.