Operation Endgame Takes Down SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch police, working with the FBI, Royal Canadian Mounted Police, German Federal Criminal Police Office, Europol, and Eurojust, disrupted the SocGholish malware network this week in an operation called Endgame. The action took down 106 servers and domains and cleaned 14,971 infected WordPress sites that had been redirecting visitors to fake browser update scams.

The operation exposed login credentials for approximately 1.4 million WordPress sites, according to investigators. Dutch authorities used their hacking powers to remove backdoors and malware from compromised sites and notified affected site owners, urging them to update WordPress, enable multi-factor authentication, and change passwords.

How SocGholish Worked and Who Was Hit

SocGholish, also known as FakeUpdates, has been active since at least 2017. It abused hacked, legitimate WordPress sites to push convincing fake browser and software update prompts to visitors. When a user clicked the prompt, the malware opened a backdoor on the system, giving attackers initial access that was often used to deploy ransomware and other malicious software.

The infected sites included everyday businesses such as restaurants and car garages, meaning visitors could have been exposed to malware simply by browsing trusted local websites. The operation has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex malware, as well as major ransomware and money-laundering schemes.

• 106 servers and domains taken down
• 14,971 infected WordPress sites cleaned
• Approximately 1.4 million WordPress site credentials exposed
• Operation involved Dutch police, FBI, RCMP, German BKA, Europol, and Eurojust
• SocGholish active since at least 2017

Implications for Ransomware and Cybercrime

Operation Endgame is billed as the largest international operation against ransomware and cybercrime to date. This SocGholish takedown specifically disrupts a key infection chain used by multiple ransomware groups. By breaking the link between thousands of everyday websites and a sophisticated malware-as-a-service ecosystem, law enforcement has reduced the pool of future victims and increased the cost of operating for Evil Corp and its partners.

Maikel Rollman of the Netherlands National High Tech Crime Unit said, "With these actions we deprive cybercriminals of access to infected computer systems." The operation prevents future infections and sends a message that international law enforcement can coordinate to dismantle infrastructure that has been a persistent threat for nearly a decade.