International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp cybercrime group in a new action under Operation Endgame.
KEY FACTS
- Scope Authorities cleaned 14,971 compromised WordPress sites.
- Seizures They took 106 servers and domains offline.
- Agencies The action involved the Netherlands, Canada, the United States, and Germany.
- Malware SocGholish is a JavaScript downloader also known as FakeUpdates and GhoLoader.
The operation was supported by Europol and Eurojust. The Dutch police removed the malware and backdoors from infected sites and told website owners to change credentials, enable multi-factor authentication, delete unknown WordPress accounts, and keep sites updated.
A press release from the Netherlands' National High Tech Crime Unit said the move was meant to block criminal access to infected systems and reduce the risk that they are used for attacks on critical infrastructure and other essential services.
SocGholish has been active since at least 2017. It hijacks legitimate websites, mainly WordPress sites, and prompts visitors to install fake browser updates that deliver malicious payloads. Once installed, the malware opens a connection to attackers and can be used to drop other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.
The malware has been linked to Evil Corp, a Russian cybercrime group active since 2007. The group has been associated with Zeus and Dridex and with ransomware operations including WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker.
Operation Endgame has targeted other malware infrastructure before, including Rhadamanthys, VenomRAT, Elysium, Smokeloader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC.
WHY IT MATTERS
The takedown removed a large infection chain used to spread malware through trusted websites and reduced access to infrastructure linked to a long-running cybercrime network. It also gives site owners a checklist for limiting reinfection and account abuse.