Are you sure your browser is up to date?


The current landscape of fake browser updates

Proofpoint is currently tracking four different threat clusters that use fake browser updates to spread malware. The fake updates link to compromised browser websites such as Google Chrome, Firefox or Edge that announce a browser update. When a user clicks on the link, he does not download the legitimate browser update, but malicious malware.

According to the study, TA569 has been using fake browser updates to deliver SocGolish malware for more than five years. And in recent years, other cybercriminals are also copying this pattern. Each cybercriminal uses social engineering in combination with their own methods to deliver a lure and payload. The use of fake browser updates is unique because it exploits the trust users have in their browsers and in websites they frequent.

Cybercriminals running the fake browser updates use JavaScript or HTML code to redirect victims to a domain under their own control. This code can overwrite the Web page with a fake browser update that matches the Web browser the victim is using. A malicious payload is then automatically downloaded, or the user is prompted to download a "browser update" that delivers the payload.
The distraction and efficiency of fake browser updates

Baiting with fake browser updates works because cybercriminals abuse users' security training. Users learn to only accept updates and click on links from trusted websites, and to check that the websites are legitimate. The fake updates exploit this, by compromising trusted sites. They use JavaScript to perform background checks and to overwrite the existing website with a browser update lure. To a user, this always appears to be the same website asking them to perform an update.


The current landscape includes four different threat clusters that use unique campaigns for fake browser updates. Each campaign proceeds in three distinct phases:

  • Phase 1: refers to the malicious movement on a legitimate but compromised website
  • Phase 2: refers to the traffic leaving from and moving to the cybercriminals' domain. This is where cybercriminals perform much of the filtering work, distributing the lure and malicious payload.
  • Phase 3: refers to the realization of the malicious payload at the user.


SocGholish is the main threat people think of when talking about baiting with fake browser updates. This threat has been well documented over the years. Proofpoint attributes SocGholish campaigns to threat actor TA569, observing that TA569 acts as a disseminator for other threat actors. Currently, SocGholish uses three different methods to direct traffic from sites compromised in phase one to shadowed domains - under the control of cybercriminals - to phase two.

The different infiltration points makes it difficult for defenders to pinpoint the location and reproduce the traffic through the different stages of filtering

Figure 1. SocGholish fake update mimicking a Chrome update.


The second fake browser update identified by Proofpoint in May 2023 is RogueRaticate or FakeSG. External researchers consider it a copy of the existing and extensive SocGholish campaigns. The activity was first observed in November 2022. Proofpoint does not attribute RogueRaticate activity to a threat actor and clearly distinguishes it from SocGholish campaigns.

Figure 2. Example of a RogueRaticate fake update spoofing a Chrome update.


Proofpoint identified a new cluster of fake -browser update campaigns in June 2023, namely NetSupport RAT. In August 2023, Trellix first reported activity and was named ZPHP or SmartApeSG in Proofpoint's documentation. Proofpoint does not currently assign ZPHP activity to a threat actor with a TA number reference.

Figure 3. Example of ZPHP spoofing that mimics a Chrome update.


In August 2023, outside researchers published details about the fake browser update ClearFake. Subsequently, Proofpoint identified consistent campaigns from this cluster and observed a series of changes over the time the cluster was monitored. Proofpoint observed that ClearFake displays fake browser updates in the languages corresponding to the browser's set language, including French, German, Portuguese and Spanish. Proofpoint did not assign ClearFake's activities to any threat actor with a TA reference.

Figure 4. Example of ClearFake spoofing that mimics a Chrome update.


Proofpoint observed an increase in threat activity from fake browser updates for the purpose of spreading malicious malware such as payloads. SocGholish and TA569 showed that compromising vulnerable websites to display fake browser updates is an efficient method to spread malware. Other cybercriminals have learned from TA569 and are using this lure in their own way. These copycats currently use information thieves and RATs, but can also easily switch to an intermediary that provides initial access to ransomware.

Click here for the full post.

Read more here.


Expert reactions to first anniversary ChatGPT

Lawmakers from EU want to reduce tech dependency

New CEO of Binance discusses the future of the exchange

Cyberscams during the holidays: here's what you need to know

© Dutch Tech On Heels - 2023
Made with
Web Wings