In a significant blow to cybercrime, international law enforcement agencies have successfully dismantled the infrastructure behind SocGholish, a notorious malware framework active since 2017. This coordinated effort led to the seizure of 106 servers and 101 domains, and the remediation of nearly 15,000 infected websites worldwide.
The operation was part of Operation Endgame, initiated in 2024, recognized as the largest international campaign against ransomware and cybercrime to date. Agencies from the Netherlands (NHTCU), Canada (RCMP), the United States (FBI), and Germany (BKA), with support from Europol and Eurojust, collaborated during a joint action week to cripple SocGholish’s botnet infrastructure by seizing servers and taking control of malicious domain names.
Operation Endgame Delivers Major Blow
Maikel Rollman of the National High Tech Crime Unit (NHTCU) emphasized the impact of these actions, stating that depriving cybercriminals of access to infected systems prevents further damage to digital infrastructures globally. He noted that this marks the beginning of further actions against SocGholish.
SocGholish, also known as “FakeUpdates,” is a sophisticated JavaScript malware framework that targets visitors of compromised legitimate websites. Cybercriminals inject malicious JavaScript into hacked WordPress sites, presenting visitors with convincing fake browser update prompts. Once a victim downloads and executes the fake update file, the malware establishes a backdoor connection to attacker-controlled infrastructure, enabling the deployment of Remote Access Trojans (RATs), information stealers, Cobalt Strike beacons, and ransomware strains targeting critical infrastructure.
WordPress, powering over 43% of all websites on the internet, presents an enormous attack surface. In this operation, login credentials from 1.4 million WordPress sites were found to have been leaked, rendering them highly susceptible to SocGholish infection.
Authorities confirmed that 14,971 websites, including those of restaurants and auto-garages providing everyday services, were actively infected and have since been remediated.
Dutch police removed backdoors and malware from all identified infected WordPress sites and notified affected owners through platforms including HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation, and NCSC Netherlands. Affected WordPress site owners are strongly urged to:
- Immediately change all login credentials
- Enable multi-factor authentication (MFA)
- Delete any unknown or unauthorized WordPress admin accounts
- Keep WordPress core, plugins, and themes fully updated
SocGholish is linked to Evil Corp, the Russian cybercriminal group previously responsible for the Zeus and Dridex banking malware campaigns and implicated in multiple large-scale ransomware and money-laundering operations. The Center for Internet Security has identified SocGholish as the top malware downloader, accounting for 60% of all such attacks globally.
Protecting Against Fake Updates
Users can protect themselves by never trusting unsolicited browser pop-ups demanding software updates, always downloading updates exclusively from official system settings or app stores, and ensuring antivirus software remains active and up to date. Legitimate updates never use alarmist, high-pressure messaging demanding immediate action.
This takedown underscores the critical importance of international collaboration in combating cyber threats. By dismantling SocGholish’s infrastructure, authorities have not only disrupted a major malware distribution network but also highlighted the necessity for website owners to maintain robust security practices. As cybercriminals continually adapt their tactics, ongoing vigilance and cooperation between law enforcement and the private sector remain essential in safeguarding the digital ecosystem.
