Full Report
2025-02-15 • Medium TRAC Labs • TRAC Labs • js.fakeupdates Open article on Malpedia
Analysis Summary
The provided article description is extremely limited: "Don’t Ghost the SocGholish: GhostWeaver Backdoor =============== * * * * [Inventory](https://malpedia.caad.fkie.fraunhofer.de/library) * [Statistics](https://malpedia.caad.fkie.fraunhofer.de/stats/general) * [Usage](https://malpedia.caad.fkie.fraunhofer.de/usage/tos) * [ApiVector](https://malpedia.caad.fkie.fraunhofer.de/apiqr/) * 2025-02-15 [(Back to Inventory)](https://malpedia.caad.fkie.fraunhofer.de/library) Propose Change Don’t Ghost the SocGholish: GhostWeaver Backdoor --------------------------------------------------------------- Author(s): [TRAC Labs](https://malpedia.caad.fkie.fraunhofer.de/library?search=TRAC%20Labs) Organization: [Medium TRAC Labs](https://malpedia.caad.fkie.fraunhofer.de/library?search=Medium%20TRAC%20Labs) [js.fakeupdates](https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates) [Open article directly](https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983) Show BibTex Entry * * * ####"
Based *only* on this title and context, the summary must focus on the main subject: **GhostWeaver Backdoor**, which is associated with the **SocGholish** campaign and leverages **js.fakeupdates**. Since detailed technical information is absent, the following summary is constructed using standard placeholders derived from the explicit mention of the malware name and its context.
# Tool/Technique: GhostWeaver Backdoor (Associated with SocGholish)
## Overview
GhostWeaver is a backdoor observed in activity linked to the SocGholish campaign. It is likely delivered or deployed using components related to `js.fakeupdates`. Its primary purpose is maintaining persistence and providing access for threat actors.
## Technical Details
- Type: Malware Family (Backdoor)
- Platform: Likely Windows, given the typical scope of SocGholish, but specific target platforms are not detailed in the context.
- Capabilities: Remote access, persistence, execution of commands (inferred for a backdoor).
- First Seen: The article reference date is 2025-02-15, which may refer to the publication date, not the malware's first appearance.
## MITRE ATT&CK Mapping
*Note: Specific mappings require the full article content. The following are inferred based on the nature of a backdoor.*
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution
## Functionality
### Core Capabilities
- Establishing persistent remote access to the compromised host.
- Communication with external Command and Control (C2) infrastructure.
### Advanced Features
- Unknown based on the provided context. Likely involves obfuscation or evasion techniques typical of modern backdoors.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context. Associated with `js.fakeupdates` activity.]
- Registry Keys: [Not provided in the context]
- Network Indicators: [Not provided in the context. Communication channels are inferred.]
- Behavioral Indicators: [Not provided in the context]
## Associated Threat Actors
- Associated with campaigns distributing the **SocGholish** payload.
## Detection Methods
- Signature-based detection: [Requires knowledge of malware signatures or hashes.]
- Behavioral detection: [Detecting command-and-control beaconing or suspicious download activity associated with SocGholish delivery chains.]
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Patching and updating systems to mitigate initial access vectors used by SocGholish (often phishing/malvertising).
- Implementing robust egress filtering to prevent communication with known C2 infrastructure.
- Application whitelisting to prevent unauthorized payload execution.
## Related Tools/Techniques
- **SocGholish:** The distribution campaign associated with this backdoor.
- **js.fakeupdates:** Component mentioned in the context, likely related to obfuscated JavaScript used for delivery.