Police Takes Down SocGholish Malware Network Tied to Evil Corp

International law enforcement agencies have dismantled a major SocGholish malware operation. Investigators cleaned the infection from nearly 15,000 WordPress websites and seized more than 100 servers and domains. The action, carried out under Operation Endgame, marks one of the most significant strikes yet against infrastructure linked to the Russian cybercrime group Evil Corp.

Authorities from the Netherlands, Canada, the United States, and Germany coordinated the operation, with support from Europol and Eurojust. They removed SocGholish malware and backdoors from 14,971 compromised WordPress sites and took 106 servers and domains offline. The action cuts off a distribution channel that has infected victims since at least 2017.

What the SocGholish Takedown Targeted

The operation focused on the backbone of the SocGholish malware distribution chain, not on individual victims. Each country contributed a different part of the response. The Netherlands' National High Tech Crime Unit led the cleanup of infected WordPress sites, while Canadian, American, and German agencies supported the seizure of servers and domains.

This combination of remediation and infrastructure seizure sets the action apart from a typical malware advisory. Investigators did not just warn website owners about an active threat. They removed malicious code from thousands of live sites and pursued the servers powering the campaign, aiming to disrupt the operation at its root.

Maikel Rollman of the Netherlands' National High Tech Crime Unit said the action denies cybercriminals access to infected systems. This limits further damage to digital infrastructure used by citizens, businesses, and organizations worldwide. He added that it reduces the risk of compromised systems being repurposed for attacks on critical infrastructure, and confirmed that further action against SocGholish is planned.

How SocGholish Malware Spreads

SocGholish operates as a JavaScript-based malware downloader, also tracked under the names FakeUpdates and GhoLoader. The malware hijacks legitimate websites, most often those built on WordPress. It alters them to display fake browser update prompts to unsuspecting visitors.

When a visitor clicks the fraudulent update and installs it, the malware opens a connection back to the attackers. This grants direct access to the victim's system without further interaction needed. The technique works because it exploits trust in routine software updates, rather than relying on more obvious methods like phishing emails.

Once installed, SocGholish has served as a delivery mechanism for several secondary malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chthonic, and Azorult. This flexibility made it valuable for initial access. Operators could deploy different payloads depending on the target and the desired outcome.

The Evil Corp Connection

SocGholish has been linked repeatedly to Evil Corp, a Russian cybercrime group active since 2007. The group built its reputation on the Zeus and Dridex malware families before expanding into ransomware.

Investigators tie Evil Corp to several major ransomware strains, including WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker. The group has deployed each one in high-value attacks against businesses, with Phoenix CryptoLocker notably hitting an insurance company in a previous incident.

Evil Corp has also repeatedly rebranded its ransomware under different names, a tactic that has historically helped it dodge sanctions and law enforcement attention. That history makes this latest disruption notable, because it targets infrastructure directly instead of waiting for a single ransomware brand to resurface.

Guidance for Affected Website Owners

Dutch police did not stop at removing the malware. Website owners whose sites the operation cleaned received specific guidance to prevent reinfection. Authorities advised changing all account credentials and enabling multi-factor authentication. They also recommended deleting any unrecognized WordPress accounts that attackers may have created.

Keeping WordPress core software, themes, and plugins updated featured prominently in the guidance too. Outdated WordPress installations remain a common entry point for this kind of compromise. Unpatched vulnerabilities can let attackers regain access even after a cleanup. Any WordPress operator, not just those hit in this takedown, should treat these steps as a baseline.

Part of a Larger Law Enforcement Pattern

This SocGholish malware disruption fits into the broader scope of Operation Endgame, an international initiative that has targeted cybercrime infrastructure repeatedly over the past two years. In November, the same operation took down more than 1,000 servers connected to the Rhadamanthys, VenomRAT, and Elysium botnet operations.

Earlier phases of Operation Endgame dismantled ransomware supply chain infrastructure and detained customers of the Smokeloader botnet. The initiative also seized the AVCheck platform, a site cybercriminals used to test malware against antivirus detection. Other operations under the same umbrella have disrupted DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC.

These operations combine technical takedown with public guidance for affected users. That pattern suggests law enforcement agencies are treating malware infrastructure as a target in its own right. Rather than waiting for ransomware deployment or data theft to occur, they are acting earlier in the chain.

What This Means Going Forward

The scale of this takedown is significant: nearly 15,000 cleaned websites and over 100 seized servers. It represents a real disruption to one of the longer-running malware distribution chains still active today. But Rollman's comment that this marks only the beginning of further action against SocGholish stands out. It suggests investigators see this as one phase of an ongoing effort, not a conclusive end to the threat.

For organizations running WordPress sites, the takedown is a reminder that website compromise often happens quietly. Visitors get targeted, not the site owner directly. Regular monitoring, strong credential hygiene, and prompt patching remain the most reliable defenses against becoming the next entry point in a campaign like this one.