Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/d\/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\"><br \/>\n<meta property=\"og:title\" content=\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload\"><br \/>\n<meta property=\"og:description\" content=\"Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/thwarting-loaders-from-socgholish-to-blisters-lockBit-payload.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload\"><br \/>\n<meta name=\"twitter:description\" content=\"Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/thwarting-loaders-from-socgholish-to-blisters-lockBit-payload.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.952940279155\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"202515269\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"11.273026315789\">\n<div class=\"article-details\" role=\"heading\" readability=\"42.151315789474\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.<\/p>\n<p class=\"article-details__author-by\">By: Earle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman Sharshar, Lucas Silva <time class=\"article-details__date\">April 05, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.964028776978\">\n<div readability=\"40.115107913669\">\n<p>The Trend Micro<sup>TM<\/sup> Managed XDR team has made a series of discoveries involving the BLISTER loader and SocGholish. We observed SocGholish\u2019s discreet activity despite its low detections and a BLISTER loader sample used by threat actors to drop a LockBit payload. Close monitoring of and prompt response to both cases prevented their respective payloads from being delivered.<\/p>\n<p>Both <a href=\"https:\/\/www.elastic.co\/blog\/elastic-security-uncovers-blister-malware-campaign\" target=\"_blank\" rel=\"noopener\">BLISTER<\/a> and <a href=\"https:\/\/digital.nhs.uk\/cyber-alerts\/2021\/cc-3917#:~:text=SocGholish%20is%20an%20advanced%20delivery,malware%2C%20including%20ransomware%20and%20RATs.\" target=\"_blank\" rel=\"noopener\">SocGholish<\/a> are known for their stealth and evasion tactics in order to deliver damaging payloads. Notably, these two have been used in <a href=\"https:\/\/redcanary.com\/blog\/intelligence-insights-january-2022\/\" target=\"_blank\" rel=\"noopener\">campaigns together<\/a>, with SocGholish dropping BLISTER as a second-stage loader. Combined, these two loaders aim to evade detection and suspicion to drop and execute payloads, specifically LockBit in this case. Our investigation follows what these loaders are capable of if they not stopped from the outset.<\/p>\n<p><span class=\"body-subhead-title\">SocGholish infrastructure<\/span><\/p>\n<p>SocGholish has been around longer than BLISTER, having already established itself well among threat actors for its advanced delivery framework. Reports <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/wastedlocker-ransomware-us\" target=\"_blank\" rel=\"noopener\">show<\/a> that its framework of attack has previously been used by threat actors from as early as 2020.<\/p>\n<p>Our investigation began when the Trend Micro Managed XDR threat hunting team flagged activity from one endpoint. Further investigation uncovered more beneath the surface.<\/p>\n<p>In this case, the user had unknowingly accessed a compromised legitimate website, which prompted a drive-by download of a malicious file into their system. This method of distributing malicious files is a distinct marker of SocGholish.<\/p>\n<p>The download zip file (C:\\Users\\victim\\Downloads\\download.1313a9.zip) contained the malicious JavaScript Chrome.Update.1313a9.js, which masquerades as an update for the browser. The contained script here is obfuscated. Thankfully, user execution is still required for this threat to proceed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/Figure%201%20socgholish%20blister.png\" alt=\"Figure 1. Code snippet of the JavaScript\"><figcaption>Figure 1. Code snippet of the JavaScript<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>We investigated what would happen if the script were executed and learned that this allows the malware to proceed with connecting to its command-and-control (C&C) domain and deploy several discovery commands to gather information regarding the system. Afterward, it logs the information into to files with .tmp extensions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%202%20socgholish%20blister.png\" alt=\"Figure 2. PRCA of the discovery commands execution as seen in Trend Micro Vision One\u2122\"><figcaption>Figure 2. PRCA of the discovery commands execution as seen in Trend Micro Vision One\u2122<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The executed commands as seen in Figure 2 are as follows:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C net group “domain admins” \/domain >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad613A2.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C cmdkey \/list >> “C:\\Users\\victim\\AppData\\Local\\Temp\\radF9A30.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C net user victim \/domain >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad6FDE0.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C nltest \/domain_trusts >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad8B102.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C cmdkey \/list >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad2A57D.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C nltest \/dclist: >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad3FBC3.tmp”<\/span><\/li>\n<li><span class=\"rte-red-bullet\">“C:\\Windows\\System32\\cmd.exe” \/C whoami \/all >> “C:\\Users\\victim\\AppData\\Local\\Temp\\rad95E90.tmp”<\/span><\/li>\n<\/ul>\n<p>The malware then drops an additional .js file that executes a few other discovery commands. Finally, it downloads and executes the Cobalt Strike beacon, which is used to execute remote commands. Aside from the aforementioned scripts, a few others were also dropped but were immediately mitigated by the product.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%203%20socgholish%20blister.png\" alt=\"Figure 3. Vision One showing the deployment of JavaScript and Cobalt Strike\"><figcaption>Figure 3. Vision One showing the deployment of JavaScript and Cobalt Strike<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.086419753086\">\n<div class=\"responsive-table-wrap\" readability=\"18.530864197531\">\n<p><span class=\"body-subhead-title\">Low detections of Cobalt Strike and the BLISTER connection<\/span><\/p>\n<p>The Cobalt Strike file was particularly interesting, because at the time of this investigation, it had a low detection rate. We wanted to see why that was and what evasion tactics it employed.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<th scope=\"col\">Date<\/th>\n<th scope=\"col\">Detection<\/th>\n<\/tr>\n<tr>\n<td>Jan 19, 2022<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Jan 20, 2022<\/td>\n<td>3<\/td>\n<\/tr>\n<tr>\n<td>Jan 26, 2022<\/td>\n<td>3<\/td>\n<\/tr>\n<tr>\n<td>Jan 31, 2022<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Feb 7, 2022<\/td>\n<td>2<\/td>\n<\/tr>\n<tr>\n<td>Feb 10, 2022<\/td>\n<td>2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Table 1. VirusTotal detection history<\/p>\n<p>Indeed, further investigation showed that the Cobalt Strike file was a<a href=\"https:\/\/www.virustotal.com\/gui\/file\/53941f5be6753cbdd535b7608e852ea34f04cd7d57cccf800f0203235f8b9bf3\/details\" target=\"_blank\" rel=\"noopener\"> tampered version<\/a> of a legitimate DLL where an export function was modified to contain the Cobalt Strike. This is the first time we have observed this in the SocGholish infrastructure.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%204%20socgholish%20blister.png\" alt=\"Figure 4. Comparison of the original DLL to the patched DLL\"><figcaption>Figure 4. Comparison of the original DLL to the patched DLL<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.587837837838\">\n<div readability=\"25.414414414414\">\n<p>The sample, wimgapi.dll, will create a thread that will essentially put itself to sleep for 10 minutes before decrypting and executing its shell code. It also pauses operations in order to evade detection \u2014 a well-documented <a href=\"https:\/\/attack.mitre.org\/techniques\/T1497\/003\/\" target=\"_blank\" rel=\"noopener\">defense evasion technique<\/a>.<\/p>\n<p>It also performs additional commands before decrypting and executing the shell code as an added evasion tactic. These commands are the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">It creates the folder C:\\\\ProgramData\\\\TermSvc. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">It then drops drops the files C:\\\\ProgramData\\\\TermSvc\\TermSvc.exe, which is the copy of the file (Rundll32.exe in this case ) that executes the sample wimgapi.dll and the file %User Startup%\\\\TermSvc.lnk, which executes the aforementioned dropped copy (Rundll32.exe).<\/span><\/li>\n<\/ul>\n<p>It then proceeds to decrypt, load, and execute the shell code that connects to the URL sikescomposite[.]com. It utilizes VirtualAlloc, VirtualProtect, and CreateThread to decrypt the shell code and execute in memory. <\/p>\n<p>We also observed the harvesting of API functions, which are called only when needed as seen in their shell code (Figure 5). This is another tactic that obscures the shell code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%205%20socgholish%20blister.png\" alt=\"Figure 5. The code for harvesting of API functions and calling them when needed\"><figcaption>Figure 5. The code for harvesting of API functions and calling them when needed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>As a malleable Cobalt Strike C&C stager, the behavior of wimgapi.dll might be dependent on what is downloaded from the accessed URL. With regard to this incident, we have observed the following after its deployment<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Account discovery<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Pass-the-hash for privilege escalation<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Spawned WerFault.exe process that generates the following activity: <\/span>Network sniffing of port 135<\/li>\n<li><span class=\"rte-red-bullet\">Copying of browser login data<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Lateral movement via dropping Cobalt Strike copies into remote machines<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%206%20socgholish%20blister.png\" alt=\"Figure 6. Dropping of Cobalt Strike to remote machines as seen in Vision One\"><figcaption>Figure 6. Dropping of Cobalt Strike to remote machines as seen in Vision One<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"49.724430549352\">\n<div readability=\"45.824475212148\">\n<p>Aside from the malicious behavior demonstrated by Cobalt Strike, one of the C&C IP addresses (198[.]71[.]233[.]254) can be linked to Emotet and Dridex attacks. This IP address, which is used by multiple JavaScript C&C domains, was found hosting and dropping Emotet and Dridex samples from the end of 2021 to this year.<\/p>\n<p>The way Cobalt Strike was used in this scenario (masking tampered DLLs as legitimate) is interesting, because we have yet to observe it in other SocGholish campaigns. This indicates that the threat actors behind SocGholish are selling access to or are joining forces with a third party. Interestingly, another case investigated by the Trend Micro Managed XDR seems to show the third party to be the threat actors behind BLISTER.<\/p>\n<p><span class=\"body-subhead-title\">From SocGholish to BLISTER and LockBit<\/span><\/p>\n<p>We also discovered the use of BLISTER loader a newer type of malware that was first identified in December 2021, in deploying the LockBit <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware\">ransomware<\/a>. The delivery of BLISTER loader might be through malicious installers, specifically the SocGholish framework. It can also have an embedded Cobalt Strike or BitRat payload in its resource section.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/ransomware-spotlight\/ransomware-spotlight-lockbit\">LockBit<\/a> is a <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/ransomware-as-a-service-raas\">ransomware-as-a-service<\/a> (RaaS) cartel that has one of the most active ransomware operations today. The gang is infamous for its sophisticated malware capabilities and strong affiliate network. It typically infects systems using unauthorized access to internet facing infrastructure.<\/p>\n<p>Curiously, the MDR team found that recent detections used BLISTER, which employs SocGholish\u2019s tactic of using fake browser updates to drop malicious files. It also uses several techniques such as the following to avoid detection: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Use of valid code signing certificates to persist in the system<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Use of direct system calls to avoid hooks of the antivirus Userland<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Delay of code execution for 10 minutes to evade sandbox detection<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Injection of the payload into a legitimate process such as <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/werfaultexe-application-error\/5c92f613-c691-4cf1-99cd-c3f74591d0c0#:~:text=The%20werfault.exe%20is%20used,to%20receive%20information%20about%20solutions.\">werfault.exe<\/a> and renaming legitimate <a href=\"https:\/\/docs.microsoft.com\/en-us\/troubleshoot\/windows-client\/deployment\/dynamic-link-library\">DLLs<\/a> like Rundll32.exe to stay under the radar.<\/span><\/li>\n<\/ul>\n<p>Likely, through the drive-by download scheme of SocGholish, the file called ssql.exe was dropped. This file serves as a dropper that was created with NullSoft, an open-source system for creating Windows installers, as seen in Figure 7.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%207%20socgholish%20blistera.png\" alt=\"Figure 7. The ssql.exe dropper created through NullSoft\"><figcaption>Figure 7. The ssql.exe dropper created through NullSoft<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Once ssql.exe is executed, it drops a BLISTER loader sample to %Temp%\\wimgapi_64\\wimgapi.dll. The file wimgapi.dll is then loaded in memory and the export WIMDeleteImageMounts is executed.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%208%20socgholish%20blister.png\" alt=\"Figure 8. BLISTER is dropped.\"><figcaption>Figure 8. BLISTER is dropped.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%209%20socgholish%20blister.png\" alt=\"Figure 9. WIMDeleteImageMounts is executed.\"><figcaption>Figure 9. WIMDeleteImageMounts is executed.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The DLL decodes the shell code found in its RCData resource and executes it. Similarly, the shellcode sleeps for 10 minutes and then decrypts and decompresses the Cobalt Strike beacon.<\/p>\n<p>Vision One<b> <\/b>generated an image (Figure 10) to show the infection chain based on our samples.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%2010%20socgholish%20blister.png\" alt=\"Figure 10. Image of BLISTER loader\u2019s infection chain generated through Vision One \"><figcaption>Figure 10. Image of BLISTER loader\u2019s infection chain generated through Vision One <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>After the execution of the Cobalt Strike payload, the threat actors dropped and executed batch scripts to stop antivirus agents (KillAV) running in the environment and critical services (SQL, Veeam, Exchange, and others). The script will also update the Group Policy Object (GPO) in the machine, add the computer host name to a centralized text file, and creates scheduled task \u201cupdater\u201d to execute the batch file on startup and finally clear the Windows Events logs.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%2011%20socgholish%20blister.png\" alt=\"Figure 11. KillAV used by the LockBit ransomware group to try to stop antivirus agents\"><figcaption>Figure 11. KillAV used by the LockBit ransomware group to try to stop antivirus agents<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/figure%2012%20socgholish%20blister.png\" alt=\"Figure 12. Batch script used by the LockBit ransomware group to stop critical services and third-party antivirus software\"><figcaption>Figure 12. Batch script used by the LockBit ransomware group to stop critical services and third-party antivirus software<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.996056523168\">\n<div readability=\"38.166940519224\">\n<p>After successfully reaching this point, the LockBit sample would ultimately be executed. Our detections of the domains that were created and the SocGholish certificates that were used suggest the likelihood that the campaign began in November 2021 and has persisted up to the present.<\/p>\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>These investigations gave us the opportunity to learn more about SocGholish and BLISTER loader. These cases highlight the continued evolution of threats that are made to evade detection. Notably, we observed evasive tactics like masking a tampered DLL as legitimate and placing shell code temporarily to sleep. Organizations should also take note of the continuing trend of using Cobalt Strike in targeting victim entities and living-off-the-land binaries (LOLBins) to blend in with the environment.<\/p>\n<p>For these cases, close monitoring and prompt detection prevented all that was described here from coming to pass. Early containment and mitigation are essential to cut off more damaging attacks that compromise environments, steal data, or deploy ransomware.<\/p>\n<p>Organizations should remain vigilant and ensure that they have solid cybersecurity measures in place. These additional security recommendations can also help them protect their assets from modern ransomware threats like LockBit: <\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Enabling multifactor authentication (MFA) can prevent malicious actors from compromising user accounts as part of their infiltration process. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Users should be wary of opening unverified emails. Embedded links should never be clicked and attached files should never be opened without the proper precautions and verification as these can kickstart the ransomware installation process. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations should always adhere to the\u202f<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/virtualization-and-cloud\/best-practices-backing-up-data\">3-2-1 rule<\/a>: Create three backup copies on two different file formats, with one of the backups in a separate location. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Patching and updating software and other systems at the soonest possible time can address exploitable vulnerabilities that can lead to a ransomware infection. <\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations can better protect themselves from ransomware attacks by implementing multilayered security setups that combine elements such as the automated detection of files and other indicators with constant monitoring for the presence of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\">weaponized legitimate tool<\/a>s in their IT environment.<\/span><\/li>\n<\/ul>\n<p>New malware techniques are bound to emerge as threat actors attempt to breach more systems. Organizations can defend themselves against such threats by using multilayered detection and response solutions such as\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\">Trend Micro Vision One\u2122<\/a>, a purpose-built threat defense platform that provides added value and new benefits beyond extended detection and response (XDR) solutions. This technology provides powerful XDR capabilities that collect and automatically correlate data across multiple security layers \u2014 email, endpoints, servers, cloud workloads, and networks \u2014 to prevent attacks via automated protection while also ensuring that no significant incidents go unnoticed. <\/p>\n<p>A list of the indicators of compromise (IOCs) can be found <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/iocs-from-socgholish-to-blisters-lockbit-payload.txt\">here<\/a>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/d\/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":46045,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9539,9509],"class_list":["post-46044","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-05T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/thwarting-loaders-from-socgholish-to-blisters-lockBit-payload.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload\",\"datePublished\":\"2022-04-05T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/\"},\"wordCount\":2021,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/\",\"name\":\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png\",\"datePublished\":\"2022-04-05T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png\",\"width\":1195,\"height\":882},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/","og_locale":"en_US","og_type":"article","og_title":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-04-05T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/d\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/thwarting-loaders-from-socgholish-to-blisters-lockBit-payload.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload","datePublished":"2022-04-05T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/"},"wordCount":2021,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/04\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/","url":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/","name":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/04\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png","datePublished":"2022-04-05T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/04\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/04\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload.png","width":1195,"height":882},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46044","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46044"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46044\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46045"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":46044,"date":"2022-04-05T00:00:00","date_gmt":"2022-04-05T00:00:00","guid":{"rendered":"urn:uuid:9c32abc9-3f84-6d80-b96a-b9fd5f50a821"},"modified":"2022-04-05T00:00:00","modified_gmt":"2022-04-05T00:00:00","slug":"thwarting-loaders-from-socgholish-to-blisters-lockbit-payload","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload\/","title":{"rendered":"Thwarting Loaders: From SocGholish to BLISTER\u2019s LockBit Payload"},"content":{"rendered":"