Police Clean Nearly 15,000 SocGholish-Infected Sites, Takedown 100+ Servers Tied to Evil Corp
International law enforcement agencies have cleaned malware from nearly 15,000 WordPress sites and taken down over 100 servers linked to the SocGholish botnet and the Russian cybercrime group Evil Corp.
International law enforcement agencies have cleaned nearly 15,000 malware-infected WordPress websites and taken down more than 100 servers linked to the SocGholish botnet and the Russian cybercrime group Evil Corp. The joint action, supported by Europol and Eurojust, was part of Operation Endgame, a major law enforcement operation targeting cybercrime infrastructure.
Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline. The Dutch police removed the malware and backdoors from the infected sites, and advised website owners to change their credentials, enable multi-factor authentication, delete unknown WordPress accounts, and keep their sites up to date.
"With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware," said Maikel Rollman of the Netherlands' National High Tech Crime Unit. "It also reduces the risk that these systems are used for cyber-attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish."
The SocGholish JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017. It works by hijacking legitimate websites—primarily WordPress sites—and tricking visitors into downloading malicious payloads disguised as fake browser updates. When a user installs the malicious update, the malware opens a connection to the attackers, giving them access to the infected system.
SocGholish has been used to deploy other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult. The malware has been previously linked to Evil Corp, a Russian cybercrime gang active since 2007 that has been associated with the Zeus and Dridex malware families and was behind the WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker ransomware operations.
In November, as part of Operation Endgame, law enforcement agencies also took down over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations. Previously, Operation Endgame has targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and various other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
This operation underscores the ongoing collaborative efforts to disrupt Evil Corp's criminal operations at scale. The takedown of over 100 servers and the cleaning of nearly 15,000 infected sites represents a significant blow to the infrastructure that has been used to distribute ransomware and other payloads for years.
The Dutch National Police announced the takedown, which also included notifying and cleaning nearly 15,000 compromised WordPress sites. Infoblox researchers noted that TA569 may have controlled up to a million sites over its history, and while the action will disrupt SocGholish operations, the group's ability to rebuild infrastructure or shift to new delivery models remains uncertain.