International law enforcement agencies have disrupted the infrastructure behind SocGholish, a long-running malware operation linked to the Russian cybercrime group Evil Corp, remediating nearly 15,000 infected websites and taking down more than 100 servers and domains used in the campaign.
The action was carried out as part of Operation Endgame, an ongoing multinational effort targeting cybercriminal networks involved in malware distribution, ransomware attacks, and initial access operations.
Authorities from the Netherlands, United States, Canada, and Germany, supported by Europol and Eurojust, announced that 14,971 compromised websites were cleaned during the operation while 106 servers and domains associated with the malware infrastructure were seized or taken offline.
SocGholish spread through compromised WordPress websites
SocGholish, also known as FakeUpdates, has been active since at least 2017 and is commonly used as an initial access malware platform for broader cybercrime operations.
The malware is typically distributed through compromised WordPress websites. Visitors are presented with fake browser update prompts and tricked into downloading malicious files disguised as legitimate software updates.
Once installed, the malware establishes a connection back to attacker-controlled infrastructure, allowing threat actors to gain unauthorized access to infected systems and deploy additional malware.
According to Dutch police, approximately 1.4 million WordPress credentials have been exposed through various leaks, creating a substantial pool of vulnerable websites that can be hijacked and weaponized for malware distribution.
The nearly 15,000 websites remediated during the operation included legitimate businesses and public-facing services such as restaurants, automotive businesses, and other organizations unknowingly serving malware to visitors.
Operation Endgame 4.0 added to Have I Been Pwned
Following the operation, Have I Been Pwned (HIBP) added a new breach entry titled Operation Endgame 4.0 Data Breach after receiving credential data identified during the investigation.
According to HIBP founder Troy Hunt, authorities provided approximately 154,000 impacted email addresses and more than 500,000 previously unseen passwords recovered during the operation.
The breach entry allows affected users to determine whether their email addresses appeared in datasets uncovered during the SocGholish investigation. The exposed information includes email addresses and passwords.
While HIBP classifies the dataset as a breach for notification purposes, the underlying law enforcement operation focused on disrupting the SocGholish malware ecosystem, remediating compromised websites, and dismantling criminal infrastructure linked to Evil Corp.
The inclusion of more than half a million previously unseen passwords highlights the continued risks associated with credential reuse and compromised website administration accounts.
Evil Corp connection highlights ransomware risk
Authorities linked the malware operation to Evil Corp, a Russian cybercrime organization previously associated with the Zeus and Dridex malware families as well as multiple ransomware campaigns.
According to investigators, SocGholish infections have frequently been used as an initial foothold for deploying more dangerous malware, including ransomware capable of disrupting organizations and critical infrastructure.
The operation therefore targeted not only the malware itself, but also the broader criminal ecosystem that relies on compromised websites and infected endpoints to gain access to victims.
The disruption mirrors other recent law enforcement efforts targeting cybercriminal infrastructure, including the DOJ-led takedown of multiple IoT botnets.
Website owners urged to strengthen security
As part of the operation, authorities notified website owners whose credentials were identified during the investigation and removed malware and backdoors from infected WordPress installations.
Owners were urged to change passwords immediately, enable multi-factor authentication, remove unknown administrator accounts, and ensure WordPress software and plugins remain fully updated.
Officials also warned internet users to be cautious of browser pop-ups claiming that software updates are required, noting that legitimate updates should always originate from official application or operating system update mechanisms.
Operation Endgame, launched in 2024, has become one of the largest coordinated international cybercrime disruption efforts ever undertaken. Participating agencies stated that the latest actions represent the beginning of additional enforcement activity targeting the SocGholish ecosystem and the actors behind it.
For organizations concerned about malware-based initial access attacks, understanding how credential theft and malware infections occur remains critical. BreachNews previously examined the growing threat posed by information-stealing malware in this guide.
