Security researchers from Malwarebytes have identified an ongoing malvertising campaign that leverages browser push notifications to distribute malware. The campaign employs social engineering tactics to trick users into downloading and executing the payload known as FAKEUPDATES or SocGholish.

Attack Vector: Malvertising and Notification Hijacking

The attack begins when users visit websites, primarily adult-themed sites, that contain malicious advertisements. These ads redirect the user to a page designed to deceive them into accepting push notifications. The fraudulent page often impersonates a CAPTCHA check or an age verification gate, displaying messages such as “Click Allow to confirm you are not a robot.”

When a user clicks the “Allow” button, they inadvertently subscribe their browser to a push notification service controlled by the cybercriminals. This technique exploits a legitimate browser feature, allowing it to bypass many traditional ad-blocking tools.

Malware Delivery Through Deceptive Updates

After the subscription is established, the attackers send deceptive push notifications to the user’s browser. These notifications are crafted to look like legitimate software update alerts, often using the logo of the user’s browser, such as Google Chrome, with text prompting them to install a critical update.

Clicking the notification initiates the download of a malicious JavaScript file, frequently named Update.js. If the user executes this file, it installs the FAKEUPDATES malware, also known as SocGholish. This specific malware has been associated with various threat actors, including the group behind the Clop ransomware (TA505) and the Russian cyber-criminal group Evil Corp.