Police clean 15,000 SocGholish-infected WordPress sites

Key Takeaways

• International agencies cleaned 14,971 WordPress sites infected with SocGholish malware
• 106 servers and domains linked to Evil Corp's botnet were taken offline
• Operation Endgame continues expanding its takedown of malware dropper infrastructure

International law enforcement agencies cleaned nearly 15,000 WordPress websites infected with SocGholish malware and took down 106 servers tied to Russia's Evil Corp cybercrime group. The coordinated action, part of Operation Endgame, targeted a JavaScript-based malware loader that has hijacked legitimate websites since 2017.

Authorities from the Netherlands, Canada, the United States, and Germany collaborated on the cleanup. The Dutch National High Tech Crime Unit removed malware and backdoors from 14,971 compromised sites while advising website owners to change credentials, enable multi-factor authentication, and delete unknown WordPress accounts.

“With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware.”

— Maikel Rollman, Netherlands' National High Tech Crime Unit

How does SocGholish infect websites?

SocGholish, also tracked as FakeUpdates and GhoLoader, works by compromising legitimate websites and tricking visitors into downloading malicious payloads. The malware typically disguises itself as a fake browser update. When a user installs the fake update, SocGholish opens a connection to the attackers, giving them access to the infected system.

WordPress sites are the primary target. The malware has served as a delivery mechanism for other malware families including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult. Security researchers estimate that 1.4 million websites with leaked login credentials remain vulnerable to SocGholish infection.

Who is Evil Corp and why does this matter?

Evil Corp is a Russian cybercrime gang active since 2007. The group has been linked to the Zeus and Dridex malware families and operated the WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker ransomware campaigns. SocGholish has functioned as a primary entry point for the group's ransomware operations.

A Europol Cybercrime Centre investigator called the operation "a critical strike against the dropper ecosystem that has served as the primary entry point for Evil Corp's ransomware operations for years." The dropper ecosystem refers to the network of malware loaders that deliver ransomware and other malicious payloads to initial victims.

What is Operation Endgame?

Operation Endgame launched in May 2024 as the largest coordinated international effort to dismantle the dropper ecosystem. The operation has systematically targeted infrastructure that delivers malware to victims before the actual ransomware or data theft begins.

In November, law enforcement agencies took down over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations. Previous Endgame actions targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and major malware operations including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.

"This marks the beginning of further action against SocGholish," Rollman said, signaling that additional enforcement is planned.

What should WordPress site owners do now?

Dutch police issued specific guidance for website owners whose sites were cleaned. Even if your site was not part of this operation, the recommendations apply broadly to WordPress security.

• Change all WordPress administrator credentials immediately
• Enable multi-factor authentication on all admin accounts
• Audit WordPress accounts and delete any you don't recognize
• Update WordPress core, themes, and plugins to current versions
• Review server access logs for suspicious activity

Community discussion on cybersecurity forums has praised the collaboration between the Dutch police, FBI, and RCMP. However, many security professionals note the long-term challenge posed by the massive pool of leaked credentials that allow such infections to persist. Cleaning 15,000 sites is significant, but the underlying credential exposure problem remains unsolved.

Frequently Asked Questions

How do I know if my WordPress site was infected with SocGholish?

Check for unknown admin accounts, unexpected JavaScript files, and redirects to fake update pages. The Dutch police contacted affected site owners directly. If you weren't notified but suspect infection, scan your site with security plugins and review server logs.

Can SocGholish infect visitors who don't download the fake update?

The primary infection vector requires users to download and run the fake browser update. However, compromised sites may host additional malicious scripts, so visiting an infected site carries risk.

Will Evil Corp rebuild this infrastructure?

Likely yes. Cybercrime groups typically rebuild after takedowns, though enforcement actions increase their operational costs and disrupt ongoing campaigns. Operation Endgame's sustained pressure aims to make rebuilding progressively harder.

How many sites remain infected with SocGholish globally?

The exact number is unknown. This operation cleaned nearly 15,000 sites, but SocGholish has operated since 2017 and the 1.4 million websites with leaked credentials suggests the potential infection pool is much larger.

Source: BleepingComputer