Operation Endgame Dismantles SocGholish: 106 Servers Seized

Operation Endgame has struck again. Law enforcement agencies from four countries seized over 100 command-and-control servers and more than 100 domains powering SocGholish, one of the most prolific malware distribution frameworks active since 2017. The coordinated takedown also remediated nearly 15,000 infected websites worldwide.

The action represents the latest phase of an ongoing campaign against initial access brokers—the criminal operators who compromise networks and sell that access to ransomware gangs.

The Takedown

Agencies from the Netherlands (NHTCU), Canada (RCMP), the United States (FBI), and Germany (BKA) executed the joint operation with support from Europol and Eurojust. According to Hackread's reporting, the operation seized 106 servers and 101 malicious domains while cleaning malicious code from 14,971 compromised websites.

SocGholish—also tracked as FakeUpdates—operated by injecting malicious JavaScript into legitimate, high-traffic websites. Attackers gained access to content management systems like WordPress through stolen credentials or unpatched plugin vulnerabilities. Once inside, they planted profiling scripts that validated visitors were real users before serving malware.

The infection chain relied on traffic distribution services like ParrotTDS and Keitaro to route victims to fake browser update pages. Those pages delivered GhoLoader, which then pulled secondary payloads and installed persistent PHP backdoors.

The Evil Corp Connection

The Center for Internet Security has identified SocGholish as the top malware downloader globally, accounting for 60% of all such attacks. That volume exists because SocGholish functioned as an initial access broker for some of the most notorious ransomware operations.

Law enforcement confirmed the framework fed victims to Evil Corp, LockBit, RansomHub, and WastedLocker. Evil Corp—the Russian cybercriminal group behind Zeus, Dridex, and multiple sanctions-evasion schemes—has long been a priority target for Western intelligence agencies.

This takedown follows similar disruptions of IcedID, Trickbot, and DanaBot infrastructure under Operation Endgame, which launched in 2024 as the largest international operation ever conducted against ransomware and cybercrime.

WordPress Sites Cleaned

The 14,971 remediated websites highlight a persistent problem: outdated CMS installations remain the primary vector for web-based malware distribution. Many site owners had no idea their WordPress instances were serving malware through fake update prompts.

Security teams should audit web properties for:

• Unknown PHP files in upload directories
• Modified core CMS files
• Suspicious scheduled tasks or cron jobs
• Unfamiliar admin accounts

Why This Matters

SocGholish's takedown won't end the initial access broker ecosystem—other operators will fill the gap. But disrupting 60% of the global malware downloader market, even temporarily, buys defenders time and forces criminal infrastructure to rebuild.

The operation also demonstrates that law enforcement can reach ransomware affiliates and their enablers, even when the principals remain in Russia. Every server seized, every domain sinkholed, and every infected site cleaned represents real friction in the ransomware supply chain.

For organizations wondering if their sites were affected, check web server logs for connections to known SocGholish infrastructure and review any recently modified JavaScript files in public directories.