-
Law enforcement agencies across four countries remediated nearly 15,000 websites infected with SocGholish malware as part of a sweeping international crackdown.
-
The operation took down 106 servers and domains globally, dealing a significant blow to the criminal infrastructure supporting the Russian cybercriminal group Evil Corp.
-
Authorities are now urging all WordPress website owners to change their login credentials, enable multi-factor authentication, and update their sites immediately.
A major international law enforcement operation has dismantled a key infection chain used by cybercriminals to compromise thousands of websites and infiltrate computer systems worldwide.
The operation, carried out this week under the banner of Operation Endgame, saw authorities from the Netherlands, Canada, the United States, and Germany remediate 14,971 websites compromised with SocGholish malicious software, with support from Europol and Eurojust.
SocGholish takes advantage of hacked legit WordPress websites to push malware onto unsuspecting visitors, just to gain unauthorized entry to their systems. WordPress powers more than 43% of all websites on the internet, according to the platform itself, making it an enormously attractive target.
Authorities identified leaked login credentials from 1.4 million WordPress sites, leaving all of them vulnerable to infection. The 14,971 sites already compromised include everyday service providers such as restaurants and auto garages.
Maikel Rollman of the Netherlands’ National High Tech Crime Unit described the significance of the action. According to Rollman, the operation denies cybercriminals access to infected computer systems, preventing further harm to the digital infrastructure of citizens, businesses, and organizations globally.
He added that it also reduces the risk of criminals weaponizing those systems against critical infrastructure and other essential societal processes, and that this marks the beginning of further operations targeting SocGholish.
106 Servers Down, 15,000 Sites Cleaned
During the joint action week, law enforcement delivered a coordinated blow to SocGholish’s criminal infrastructure. Authorities took down 106 servers and domains worldwide. They also cleaned infected WordPress sites and notified affected site owners, urging them to update their platforms and change their login credentials immediately.
Agencies disabled the SocGholish botnet by seizing domain names and pulling servers offline. Police also notified WordPress site owners whose leaked login credentials they identified during the investigation. Notification channels included DIVD, HaveIBeenPwned, CheckjeHack, Spamhaus, The Shadowserver Foundation, NoMoreLeaks, and the NCSC in the Netherlands.
The Dutch police removed backdoors and malware from the infected sites directly. Authorities then contacted the owners of those sites with a clear set of instructions: change login credentials, enable multi-factor authentication, delete any extra WordPress accounts you don’t recognize, and keep the WordPress platform consistently updated going forward.
The urgency of these measures is underscored by the recent exposure of nearly 19,000 WordPress admin credentials in a major dark web data dump, showing how easily attackers can gain access to unsecured sites.
SocGholish, Evil Corp, and Eight Years of Attacks
It has operated as a persistent threat since 2017. Researchers also know it by the name “FakeUpdates,” a reference to its primary distribution method. The malware spreads through fake software update prompts, often mimicking browser update notifications.
When a user installs one of these fraudulent updates, the malware establishes a connection back to the attackers, granting them access to the compromised system. That initial access then allows criminals to deploy even more dangerous software, including multiple ransomware strains that have previously struck critical infrastructure targets.
Investigators link SocGholish directly to Evil Corp, a Russian cybercriminal group with a long and destructive track record. Evil Corp previously developed the Zeus and Dridex malware families and has ties to several large-scale ransomware campaigns and money-laundering operations.
What WordPress Owners Should Do Now
Operation Endgame, which launched in 2024, represents the largest international effort ever mounted against ransomware and cybercrime. The operation brings together law enforcement and judicial authorities from the Netherlands, Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom, and Canada. Private sector cybersecurity firms also play an active role.
According to Rollman, investigative services and the cybersecurity sector need each other deeply to make the digital world as safe as possible, and Operation Endgame stands as a strong example of that collaboration.
For anyone running a WordPress website, authorities recommend never trusting browser pop-ups pushing updates, avoiding flashy alerts demanding immediate action, keeping virus scanners active during software installations, and always sourcing genuine updates from official channels such as system settings or the app store.
SocGholish, also known as FakeUpdates, spreads precisely by exploiting users who skip these precautions. The investigation into SocGholish and its operators continues.
