Hundreds of U.S. news sites push malware in supply-chain attack


Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S.

“The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,” Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer.

The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets’ websites.

This malicious JavaScript file is used to install SocGholish, which will infect those who visit the compromised websites with malware payloads camouflaged as fake browser updates delivered as ZIP archives (e.g., Chromе.Uрdatе.zip,, Firefoх.Uрdatе.zip, Operа.Updа, via fake update alerts.

“Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via Javascript to its partners,” Proofpoint’s Threat Insight team revealed today in a Twitter thread.

“By modifying the codebase of this otherwise benign JS, it is now used to deploy SocGholish.”

Malicious JavaScript file obfuscated contentsMalicious JavaScript file obfuscated contents (BleepingComputer)

In total, the malware has been installed on sites belonging to more than 250 U.S. news outlets, some of them being major news organizations, according to security researchers at enterprise security firm Proofpoint.

While the total number of impacted news organizations is currently unknown, Proofpoint says it knows of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, D.C., and more.

“TA569 has previously leveraged media assets to distribute SocGholish, and this malware can lead to follow-on infections, including potential ransomware,” DeGrippo also told BleepingComputer.

“The situation needs to be closely monitored, as Proofpoint has observed TA569 reinfect the same assets just days after remediation.”

Link to ransomware attacks

Proofpoint has previously observed SocGholish campaigns using fake updates and website redirects to infect users, including, in some cases, ransomware payloads.

The Evil Corp cybercrime gang also used SocGholish in a very similar campaign to infect the employees of more than 30 major U.S. private firms via fake software update alerts delivered via dozens of compromised U.S. newspaper websites.

The infected computers were later used as a stepping point into the employers’ enterprise networks in attacks attempting to deploy the gang’s WastedLocker ransomware.

Luckily, Symantec revealed in a report that it blocked Evil Corp’s attempts to encrypt the breached networks in attacks targeting multiple private companies, including 30 U.S. corporations, eight of them Fortune 500 companies.

SocGholish has also recently been used to backdoor networks infected with the Raspberry Robin malware in what Microsoft described as Evil Corp pre-ransomware behavior.

Update November 02, 18:22 EDT: Added Proofpoint statement.


  • AZeed Photo AZeed – 5 days ago

    Why not mention this media company name so that no one visits their websites until everything is fine again?

  • woody188 Photo woody188 – 13 hours ago

    “Why not mention this media company name so that no one visits their websites until everything is fine again?”

    Obviously their money is far more important than your safety. Besides, you won’t fall for fake updates from a browser pop up, will you?

    No mention that a simple browser plugin like uBlock Origin will stop these attacks. Gotta make the Benjamins!

  • 14547438 Photo 14547438 – 3 days ago

    Read the article.

    It isn’t the media company that you’ll be visiting. It’s their customers, the news sites.

  • AZeed Photo AZeed – 3 days ago

    “Read the article.
    It isn’t the media company that you’ll be visiting. It’s their customers, the news sites.”

    I know, what are these sites?

  • jkr4m3r Photo jkr4m3r – 3 days ago


  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.17 4M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,569 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 51,719 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 303,419 Downloads


Related posts

GodFather Android malware targets 400 banks, crypto exchanges

Sarah Henriquez

Mozilla Firefox fixes freezes caused by new Windows 11 feature

Sarah Henriquez

LockBit ransomware goes ‘Green,’ uses new Conti-based encryptor

Sarah Henriquez

Leave a Comment