December 2, 2023

Researchers have identified a rising trend in threat activity that employs fake browser updates to disseminate malware.

Fake browser updates are compromised websites that display fake notifications mimicking popular browsers like Chrome, Firefox, or Edge, luring users into downloading malicious software instead of legitimate updates.

A threat actor goes by the name TA569 and has been using fake browser updates for over five years to deliver SocGholish malware. Recently, other threat actors have adopted this strategy.


The threat campaigns comprise three stages: injection on a compromised website; traffic to actor-controlled domains; and payload execution on the user’s device.

These threats infiltrate websites using JavaScript or HTML-injected code to direct traffic to their controlled domains and automatically download malicious payloads.

Compromised URLs are found in various email traffic sources, including regular emails and monitoring alerts. The threats extend beyond email as users also encounter them on search engines, social media or direct site visits.


SocGholish was attributed to TA569, who observed that the threat actor employed various methods to direct traffic from compromised websites to their actor-controlled domains.

RogueRaticate/FakeSG, injects obfuscated JavaScript code into stage 1 websites and uses Keitaro TDS for payload delivery.

ZPHP/SmartApeSG leverages asynchronous requests, while ClearFake employs base64 encoded scripts and displays lures in different languages.

Oganizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.

This research was documented by researchers from proofpoint.

Leave a Reply

%d bloggers like this: