In a nutshell: Operation Endgame has cleaned 14,971 compromised WordPress websites from the SocGholish malware network, which is attributed to the Russian cybercrime group Evil Corp.
An international alliance of authorities has freed nearly 15,000 WordPress websites from SocGholish malware as part of Operation Endgame and shut down 106 servers and domains used to control the botnet. The action targets a network active since 2017 that serves as an entry point for further cyberattacks.
Investigators from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, have attacked the SocGholish infrastructure network. In total, 14,971 compromised websites, predominantly WordPress installations, have been cleaned of malicious code and backdoors. In parallel, authorities shut down 106 servers and domains that were used to control the botnet and distribute the malware.
SocGholish, also known by the names FakeUpdates or GhoLoader, has been active in cyberattacks since 2017. Its method of operation is based on manipulated pop-up messages on compromised websites. Visitors are tricked into executing what appears to be a browser update, but is actually malware. Once executed, the program establishes a connection to the attackers’ servers, giving them unauthorized access to the system.
The SocGholish network functions as an Initial Access Broker – it procures and markets initial system access, which is then passed on or sold to other criminals. The infrastructure is attributed to Evil Corp, a Russian cybercrime association active since 2007. Through SocGholish infection chains, malware families such as Dridex and Doppelpaymer as well as ransomware variants such as WastedLocker, Hades, and Phoenix CryptoLocker have been deployed on systems in the past.
Dutch police recommended concrete security measures to the operators of the cleaned websites: immediate change of all credentials, activation of multi-factor authentication, deletion of unknown user accounts in the content management system, and full installation of all available software updates.
Source: www.it-daily.net · Published June 21, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.