Operation Endgame Hits SocGholish Malware Network after international law enforcement agencies carried out a coordinated operation targeting one of the most significant malware distribution chains linked to cybercrime. Authorities announced the remediation of 14,971 websites infected with SocGholish Malware, a threat used by the cybercriminal group Evil Corp to gain unauthorized access to victim systems and facilitate further attacks.
The operation involved law enforcement agencies from the Netherlands, Canada, the United States, and Germany, with support from Europol and Eurojust. Officials described the action as a major disruption of the infrastructure used to distribute malware through compromised WordPress websites.
Operation Endgame Hits SocGholish Malware Network Across Multiple Countries
During the coordinated action week, authorities took down 106 servers and domains associated with the criminal infrastructure supporting SocGholish operations.
According to investigators, SocGholish Malware spreads primarily through compromised WordPress websites. Visitors to infected websites are presented with fake software update prompts, often disguised as browser updates. Once downloaded and installed, the malware establishes access to the victim’s system, allowing attackers to deploy additional malicious software.
Law enforcement agencies also disabled the SocGholish Botnet by seizing domains and taking servers offline.
In addition to infrastructure takedowns, authorities cleaned infected WordPress sites and launched a large-scale victim notification campaign to warn affected website owners and encourage stronger security measures.
WordPress Websites at the Center of the Campaign
Authorities highlighted the widespread use of WordPress as a factor contributing to the scale of the threat. According to WordPress, more than 43% of websites worldwide are built on the platform.
Investigators reported that login credentials for approximately 1.4 million websites have been leaked, increasing the risk of unauthorized access and malware infections.
Cybercriminals behind SocGholish typically compromise websites by exploiting weak passwords, stolen credentials, or vulnerable website configurations. Once access is obtained, malicious code is inserted into websites, allowing attackers to distribute fake updates to visitors.
The infected websites included platforms providing everyday services, such as restaurants and automotive repair businesses.
Authorities Urge Website Owners to Strengthen Security
The Dutch National High Tech Crime Unit stated that malware and backdoors have been removed from affected websites and that site owners have been notified.
Website owners have been urged to:
- Change login credentials
- Enable Multi-Factor Authentication (MFA)
- Remove unknown WordPress accounts
- Keep WordPress installations updated
Authorities emphasized that these measures can significantly reduce the likelihood of future compromise.
Fake Updates Continue to Drive Infections
Also known as FakeUpdates, SocGholish has remained active since 2017 and continues to be used as an initial access tool for broader cybercriminal operations.
The malware is distributed through fraudulent software update messages that appear while users browse compromised websites. Once installed, the malware creates a connection to attackers, enabling them to gain access to victim systems.
Officials warned users not to trust browser pop-ups requesting immediate software updates and advised obtaining updates only through official application stores, system settings, or verified vendors.
Additional recommendations include maintaining updated antivirus software and exercising caution when encountering urgent update notifications.
Law enforcement agencies linked Evil Corp to the SocGholish malware operation. The group has previously been associated with Zeus and Dridex malware campaigns, as well as multiple ransomware and money laundering operations.
Authorities noted that SocGholish has been used to deploy various ransomware strains that have impacted organizations and critical infrastructure targets worldwide.
Operation Endgame Expands Global Cybercrime Disruption Efforts
Launched in 2024, Operation Endgame is described by participating agencies as the largest international effort to combat ransomware and cybercrime. The initiative brings together law enforcement and judicial authorities from the Netherlands, Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom, and Canada, with support from Europol and Eurojust.
Officials stated that cooperation between public agencies and private-sector cybersecurity organizations remains a critical component of the operation as efforts continue against SocGholish and other cybercriminal networks.
