Skip Navigation
Get a Demo


User-initiated initial access

We observed an uptick in threats that occurred after users sought out content which, often unbeknownst to them, was malicious.
Pairs With This Song
Take Action


In 2021, Red Canary observed adversaries use a range of initial access mechanisms to gain a foothold into victims’ environments. Much of the activity we saw was consistent with our expectations, with many detections resulting from malicious emails, attempts to harvest victims’ credentials, and breaches by way of a trusted party. Additional details on trends associated with these initial access vectors and follow-on activity such as webstall installation can be found throughout the report.

Understanding initial access can help defenders protect their environments early on. Prioritizing detections related to initial access saves money, time and effort; lessens pain points for users; and reduces impact to a business. From an intelligence perspective, understanding common patterns in initial access and follow-on activity helps build confidence in determining if relationships exist between threats that co-occur in an environment.

Notably, over the past year, we observed a rise in what we refer to as “user-initiated activity:” cases where victims downloaded a malicious executable after engaging with content they purposefully sought out. This often occurs without the victim’s knowledge, particularly in cases where adversaries poison search engine results to direct victims to compromised websites.

Though user-initiated activity can be just as dangerous as adversary-initiated activity, it can be more challenging to triage because it often involves unwanted software or riskware, which many organizations deem lower-risk. However, it is critical to respond to this type of activity immediately, as follow-on threats can include infostealers and ransomware.

Top threats relying on user-initiated activity

Several of our top 10 threats—SocGholish, Yellow Cockatoo, and Gootkit—rely on variants of user-initiated activity for initial access. Though not as pervasive, we also saw similar tradecraft with Rose Flamingo, an activity cluster involved in intrusion chains where we later observed various payloads such as STOP ransomware.

  • Adversaries behind both Gootkit and Yellow Cockatoo abuse search engine optimization (SEO) to display malicious content at the top of a victim’s search results. Because compromised websites are displayed prominently and presented to the victim from a trusted search engine, victims are often easily “lured” to these sites. They are then prompted to download malicious content masquerading as legitimate content. For example, if a user searched for “this is my query,” the binary they downloaded would be named `this-is-my-query.exe`. Because the file looks familiar, users are less likely to scrutinize it closely or look for red flags.
  • Rose Flamingo’s initial access occurs via file-sharing websites purporting to provide free or “cracked” software.
  • Similarly, SocGholish leverages drive-by-downloads masquerading as software updates. SocGholish itself is embedded in legitimate websites that have been compromised to prompt users about the need to download supposed required updates.

In each case, the tradecraft allows the operators to carry out seemingly targeted social engineering intrusions at scale.

To harden your intrusion surface against the search engine tradecraft commonly used by Yellow Cockatoo and Gootkit, we recommend taking steps to prevent access to malicious domains and other malicious content on the internet. This could involve configuring your web proxy to block newly registered and low-reputation domains (e.g.,*.tk, *.top, and *.gg) and blocking ads.

To mitigate risks associated with the fake browser updates related to SocGholish and the malicious JavaScript files used by Gootkit, we recommend preventing automatic execution of JavaScript files. You can do this by changing the default file associations for .js and .jse files.

We also recommend periodically refreshing security training to remind employees of the risks associated with web browsing, as this is discussed less frequently.

Back to Top