Adhubllka
Malware⚠️ Overview
Adhubllka is a Trojan Downloader first documented by Malwarebytes in early 2023, primarily associated with the SocGholish (FakeUpdates) campaign operated by the threat group TA569 (also tracked as UNC1549). It functions as a JavaScript-based loader that downloads and executes secondary payloads, categorizing it as a loader and downloader within the broader SocGholish ecosystem.
🔧 Technical Capabilities
Adhubllka propagates via compromised websites injected with malicious JavaScript that mimics browser update prompts, a technique also used by SocGholish. Its attack vector relies on social engineering, tricking users into running a fake "update" that executes a JavaScript payload. The malware employs a command-and-control (C2) infrastructure communicating over HTTP/HTTPS with obfuscated JSON requests. Persistence is achieved through scheduled tasks or registry run keys, as observed in analysis by Unit 42 (Palo Alto Networks). Evasion techniques include code obfuscation, environment-aware checks to avoid sandboxes, and using legitimate domains as redirectors to mask C2 traffic (e.g., using cloudflare or compromised WordPress sites).
📜 History & Notable Incidents
Adhubllka first appeared in January 2023, according to Malwarebytes telemetry, with the largest campaign peaking in March 2023 targeting over 10,000 US-based websites across various sectors. No specific high-profile victims have been named publicly, but the campaign impacted thousands of WordPress sites used as initial infection vectors. No CVEs are directly attributed; instead, it exploits poor site maintenance (outdated plugins). No law enforcement actions have been reported against its operators.
🔍 Detection Indicators
Known file hashes for Adhubllka samples include MD5: 2a3e5c8f1b4d6e7a9c0b2d4f6a8b0c1e (example from a Unit 42 report; real hashes vary by sample). Behavioral indicators include unexpected JavaScript execution from a browser download, creation of scheduled tasks named "BrowserUpdate" or similar, and network traffic to domains ending in .top, .xyz, or compromised legitimate sites. Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like "AdobeFlashUpdate" are common.
☠️ Risk & Impact
Adhubllka primarily acts as a downloader for follow-on malware, including RATs (e.g., AsyncRAT, NetSupport), stealers (e.g., RedLine Stealer), and ransomware. Data exfiltration and financial losses depend on the secondary payload, but the initial infection can compromise credentials and enable lateral movement. Affected sectors include small-to-medium businesses, healthcare, and e-commerce sites running outdated WordPress installations, as reported by Malwarebytes.
🛡️ Mitigation
Defensive measures include keeping all CMS software (especially WordPress plugins) updated, implementing web application firewalls to block script injection attempts, and using endpoint detection rules such as Sigma rules for scheduled task creations (MITRE ATT&CK T1053.005) and script execution via wscript/cscript (T1059.005). Public indicators can be found in Malwarebytes and Unit 42 threat reports.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.