Operation Endgame Hits Malware Linked to Top Ransomware Gang
▼ Summary
– An international law enforcement operation disrupted the SocGholish malware group, which used thousands of infected websites to distribute malware.
– The takedown, part of Operation Endgame, remediated 15,000 compromised websites and dismantled the associated botnet.
– SocGholish accessed legitimate WordPress sites using leaked credentials, then pushed fake software update pop-ups to infect visitors.
– The SocGholish botnet was regularly used by the Russia-based cybercrime group Evil Corp for ransomware attacks on governments and healthcare.
– Authorities took down 106 servers and domains, and notified website owners to change credentials and apply security patches.
A coordinated international law enforcement operation has successfully dismantled a sprawling malware distribution network linked to one of the world’s most dangerous ransomware gangs. The action targeted the SocGholish malware group, which had compromised thousands of websites to infect unsuspecting visitors.
Announced by Dutch authorities on June 18, this latest phase of Operation Endgame focused on neutralizing a botnet that controlled roughly 15,000 infected websites. Law enforcement remediated the infections on those compromised sites and seized 106 servers and domains associated with the criminal infrastructure.
What makes this takedown particularly significant is the botnet’s connection to Evil Corp, the notorious Russia-based ransomware syndicate. This group has been responsible for a long series of destructive cyberattacks targeting governments, healthcare systems, and major corporations worldwide. SocGholish effectively served as a gateway, funneling victims into Evil Corp’s malicious ecosystem.
The infection method was deceptively simple. According to Proofpoint, which tracks this threat as TA569, SocGholish actors gained access to legitimate WordPress sites using stolen or leaked credentials. Once inside, they injected malicious pop-ups that falsely warned visitors their software was outdated. Users who clicked to install the supposed “update” inadvertently downloaded malware and became part of the botnet, which was then weaponized to deliver ransomware and other payloads to additional targets.
“We deprive cybercriminals of access to infected computer systems,” said Maikel Rollman of the Netherlands National High Tech Crime Unit (NHCTU). “This prevents further damage to the digital systems of citizens, businesses, and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyberattacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”
The week-long operation was a joint effort involving the NHCTU, the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office (BKA), and the U. S. Federal Bureau of Investigation (FBI). Support came from Europol, Eurojust, and several cybersecurity industry partners.
Dr. Renée Burton, vice president of Infoblox Threat Intel, emphasized the scale of the threat. “SocGholish is not a niche threat. Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks.”
Website owners whose platforms were compromised have been notified and urged to change their login credentials immediately. They are also advised to install all necessary security patches to prevent future breaches. For WordPress site administrators, the general guidance remains clear: use strong, unique passwords, enable two-factor authentication, and keep all plugins and themes updated.
(Source: Infosecurity Magazine)
