Law enforcement agencies from the Netherlands, Canada, the United States, and Germany have executed a coordinated operation against the SocGholish malware distribution network, resulting in the remediation of nearly 15,000 infected websites and the seizure of 106 servers and domains. The action, conducted under Operation Endgame with support from Europol and Eurojust, targeted infrastructure used by the cybercriminal group Evil Corp to distribute malware through compromised WordPress websites.
SocGholish, also known as FakeUpdates, has operated since 2017 as an initial access tool for broader cybercriminal campaigns. The malware spreads when visitors to compromised WordPress sites encounter fake software update prompts disguised as legitimate browser updates. Attackers typically gain access to websites by exploiting weak passwords, stolen credentials, or vulnerable configurations. Once a site is compromised, malicious code is inserted that presents fraudulent update notifications to visitors.
The technical operation involved disabling the SocGholish botnet by seizing control of command and control domains and taking associated servers offline. Investigators noted that login credentials for approximately 1.4 million WordPress websites have been leaked, creating significant risk given that WordPress powers more than 43 percent of websites globally. The infected sites included everyday service providers such as restaurants and automotive repair businesses. When users download and install the fake updates, the malware establishes persistent access to victim systems, enabling attackers to deploy additional malicious software including various ransomware strains.
The disruption has impacted operations linked to Evil Corp, a group previously associated with Zeus and Dridex malware campaigns, as well as multiple ransomware and money laundering operations. SocGholish has been used to deploy ransomware that has affected organizations and critical infrastructure worldwide. The Dutch National High Tech Crime Unit confirmed that malware and backdoors have been removed from affected websites and that owners have been notified through a large-scale victim notification campaign.
Authorities recommend that website owners immediately change all passwords, enable multi-factor authentication, update WordPress core files and plugins, and conduct security audits to identify potential compromises. Users are advised not to trust browser pop-ups requesting immediate software updates and should only obtain updates through official application stores, system settings, or verified vendors. Operation Endgame, launched in 2024, represents the largest international effort to combat ransomware and cybercrime, bringing together law enforcement from nine countries with continued cooperation between public agencies and private-sector cybersecurity organizations.
Source: https://thecyberexpress.com/socgholish-malware-hit-in-operation-endgame/