PP104: How SocGholish Picks Locks to Let In Ransomware

In this live episode recorded at RSA 2026, Drew Connery-Murray and Jennifer welcome Anna Pham, Senior Technical and Response Analyst at Huntress Labs, to discuss the long-standing and highly effective malware framework known as SockGholish (or SotGolish). Anna breaks down how this JavaScript-based attack has been infecting millions of WordPress websites since 2017, using fake update pages to trick users into downloading malicious scripts. Once executed, the malware performs stealthy credential theft, browser hijacking, and man-in-the-middle attacks via fake root certificates, all while remaining undetected due to low resource usage. The threat actor behind SockGholish operates as an initial access broker, selling access and stolen data to ransomware groups and other cybercriminals. Despite its age, the framework remains unchanged and highly effective, relying on social engineering and outdated user behaviors like double-clicking scripts. Anna emphasizes that simple, actionable defenses—like deploying group policies to open scripts in Notepad++ instead of executing them—can drastically reduce risk. She also discusses related threats like ClickFix and the growing use of AI in malware development, noting telltale signs such as overly verbose comments and emojis in code. The episode concludes with a candid look at the psychology behind these attacks and the importance of proactive detection and defense.