Authorities Seize SocGholish Malware Network: Dismantle Servers

Authorities have dismantled the criminal infrastructure behind SocGholish, a malware framework active since 2017 and known as one of the most persistent. The operation resulted in the seizure of 106 servers and 101 domains, and the remediation of nearly 15,000 infected websites worldwide.

The coordinated takedown was executed as part of Operation Endgame, launched in 2024 and recognized as the largest international operation ever conducted against ransomware and cybercrime.

Law enforcement agencies from the Netherlands (NHTCU), Canada (RCMP), the United States (FBI), and Germany (BKA) — with support from Europol and Eurojust conducted a joint action week that crippled SocGholish’s botnet infrastructure by seizing servers and taking over malicious domain names.

Operation Endgame Delivers Major Blow

“With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide,” said Maikel Rollman of the National High Tech Crime Unit (NHTCU). “This marks the beginning of further action against SocGholish.”

SocGholish, also widely known as “FakeUpdates,” is a sophisticated JavaScript malware framework that targets visitors of compromised legitimate websites.

Threat actors inject malicious JavaScript into hacked WordPress sites, presenting visitors with convincing fake browser update prompts. Once a victim downloads and executes the fake update file, the malware establishes a backdoor connection to attacker-controlled infrastructure, enabling deployment of Remote Access Trojans (RATs), infostealers, Cobalt Strike beacons, and ransomware strains targeting critical infrastructure.

WordPress, powering over 43% of all websites on the internet, presents an enormous attack surface. In this operation, login credentials from 1.4 million WordPress sites were found to have been leaked, rendering them highly susceptible to SocGholish infection.

Authorities confirmed that 14,971 websites, including those of restaurants and auto-garages providing everyday services, were actively infected and have since been remediated.

Dutch police removed backdoors and malware from all identified infected WordPress sites and notified affected owners through platforms including HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation, and NCSC Netherlands. Affected WordPress site owners are strongly urged to:

• Immediately change all login credentials
• Enable multi-factor authentication (MFA)
• Delete any unknown or unauthorized WordPress admin accounts
• Keep WordPress core, plugins, and themes fully updated

SocGholish is linked to Evil Corp, the Russian cybercriminal group previously responsible for the Zeus and Dridex banking malware campaigns and implicated in multiple large-scale ransomware and money-laundering operations. The Center for Internet Security has identified SocGholish as the top malware downloader, accounting for 60% of all such attacks globally.

Protecting Against Fake Updates

Users can protect themselves by never trusting unsolicited browser pop-ups demanding software updates, always downloading updates exclusively from official system settings or app stores, and ensuring antivirus software remains active and up to date. Legitimate updates never use alarmist, high-pressure messaging demanding immediate action.

Operation Endgame continues to expand its scope, with law enforcement signaling that this takedown is not a conclusion but a launching pad for further targeted enforcement actions against SocGholish operators and affiliated cybercriminal networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.