In the ever-evolving cybersecurity landscape, a new threat actor has emerged, known as FakeSG. This campaign leverages compromised WordPress sites to distribute the notorious NetSupport Remote Access Trojan (RAT). This article provides a detailed analysis of this emerging threat, its similarities with the well-known SocGholish campaign, and the potential risks it poses to the digital community.

Introducing FakeSG: A New Cybersecurity Adversary

FakeSG is a new campaign that has emerged as a potential competitor in the ‘fake updates’ landscape. It uses compromised WordPress websites to display a custom landing page that mimics the victim’s browser. The threat actors behind FakeSG distribute the NetSupport RAT either as a zipped download or via an Internet shortcut. Despite being a newcomer, FakeSG employs different layers of obfuscation and delivery techniques, making it a serious threat.

The NetSupport RAT is a malicious software that allows threat actors to gain remote access to infected computers and deliver additional payloads. This type of malware is particularly dangerous as it can lead to data theft, unauthorized system control, and the delivery of additional malware.

FakeSG vs. SocGholish: A Comparative Analysis

The tactics, techniques, and procedures (TTPs) of FakeSG bear a striking resemblance to those of the established SocGholish campaign. Both campaigns trick users into running a fake browser update, leading to the installation of the NetSupport RAT. However, there are key differences that set FakeSG apart.

Firstly, FakeSG uses different browser templates depending on the victim’s browser. These themed “updates” are professionally designed and are more up-to-date than those used by SocGholish. Secondly, the template source code and payload delivery infrastructure of FakeSG are quite different from SocGholish, leading to its identification as a separate variant.

The Modus Operandi of FakeSG

FakeSG operates by injecting a code snippet into compromised websites, primarily targeting WordPress sites. This code replaces the current webpage with fake update templates. The source code is loaded from domains impersonating Google or Adobe, adding an extra layer of deception.

The installation flow of FakeSG involves the use of a URL shortcut. The decoy installer, an Internet shortcut, is downloaded from another compromised WordPress site. This shortcut retrieves a file from a remote server, which is responsible for the execution of PowerShell that downloads the final malware payload, the NetSupport RAT.

Specific TTPs of FakeSG

FakeSG employs several specific TTPs that make it a significant threat:

  1. Execution: FakeSG uses PowerShell to download the final malware payload (NetSupport RAT). The decoy installer, an Internet shortcut, is downloaded from another compromised WordPress site. This shortcut uses the WebDav HTTP protocol extension to retrieve the file launcher-upd.hta from a remote server. This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload.
  2. Defense Evasion: FakeSG uses obfuscated files or information to evade detection. It drops CMSTP.inf in %temp% and uses encoded PowerShell to hide artifacts. It also modifies the registry by adding a key to HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command /f /ve /t REG_SZ /d C:\Users\admin\AppData\Roaming\BranScale\client32.exe.
  3. Command and Control (C&C): After a successful infection, callbacks are made to the RAT’s command and control server at 94.158.247[.]27. This allows the threat actor to control the infected system remotely.

The Implications of FakeSG

Fake browser updates are a common decoy used by malware authors. With the emergence of FakeSG, there is another contender in this relatively small space. The presence of multiple malicious codes on a single website means that visitors could be redirected more than once, with the “winner” being the one who executes their malicious JavaScript code first.

The rise of FakeSG underscores the importance of maintaining up-to-date cybersecurity measures. Users should be wary of unexpected browser update prompts, especially those originating from unfamiliar websites. It is also crucial to keep all software, including WordPress and other CMS platforms, updated to the latest versions to mitigate the risk of compromise.


The emergence of FakeSG is a stark reminder of the dynamic nature of the cybersecurity landscape. As threat actors continue to refine their tactics and introduce new threats, it’s more important than ever for individuals and businesses to stay informed and maintain robust cybersecurity defenses. Remember, the first line of defense in cybersecurity is awareness. Stay safe online!

Leave a Reply

Your email address will not be published. Required fields are marked *