A coordinated international law enforcement operation has disrupted the SocGholish malware distribution network, cleaning nearly 15,000 infected WordPress sites and seizing over 100 servers linked to the Evil Corp Russian cybercrime syndicate. The operation represents one of the largest takedowns of a web-based malware distribution infrastructure to date.
What Is SocGholish?
SocGholish (also tracked as FakeUpdates) is a JavaScript-based malware framework that has been active since at least 2017. The campaign works by injecting malicious JavaScript into compromised websites — predominantly WordPress installations — that then present visitors with fake browser update prompts.
When a visitor lands on an infected site, SocGholish:
- Fingerprints the victim's environment to assess target value
- Presents a convincing fake update dialog mimicking Chrome, Firefox, or Edge updates
- Delivers a payload — historically NetSupport RAT, but increasingly acting as an initial access broker delivering more sophisticated second-stage malware
- Reports back to C2 infrastructure for tasking and further deployment
Evil Corp operators used SocGholish as a staging mechanism for ransomware deployments, credential theft, and long-term persistent access operations targeting high-value corporate networks.
Scope of the Operation
Law enforcement agencies across multiple countries participated in the coordinated action, which involved:
- ~15,000 WordPress sites disinfected and cleaned of SocGholish JavaScript injections
- 100+ servers seized or taken offline across multiple hosting providers
- Domain sinkholing of C2 infrastructure used for victim check-ins and payload delivery
The scale of the botnet reflects years of accumulated compromised sites — many running outdated WordPress installations or vulnerable plugins that Evil Corp's automation exploited to maintain a persistent web of initial access points.
Evil Corp's Role
Evil Corp is one of Russia's most sanctioned cybercrime groups. The US Treasury Department has designated multiple members, and the group is believed to be responsible for hundreds of millions of dollars in losses globally through ransomware campaigns including Dridex, BitPaymer, WastedLocker, and their successors.
The SocGholish infrastructure served as Evil Corp's primary mechanism for establishing initial access at scale, with the botnet of infected sites acting as a distributed dropper network that bypassed traditional email-based phishing defenses.
What Website Owners Should Do
If you operate a WordPress site, now is the time to audit for SocGholish indicators:
- Check JavaScript files for obfuscated code or unexpected external script references
- Review recently modified PHP and JS files —
find /var/www -name "*.js" -newer /etc/passwd - Audit installed plugins against the official WordPress plugin repository for integrity
- Enable WordPress file integrity monitoring or deploy a WAF with malware scanning
- Update all plugins, themes, and WordPress core to close the entry points Evil Corp exploited
Broader Significance
The SocGholish takedown follows a pattern of increasingly aggressive law enforcement action against Russian cybercrime infrastructure in 2026, including the First VPN shutdown, KimWolf botnet dismantling, and Operation PowerOff. While Evil Corp leadership remains in Russia and beyond the reach of extradition, disrupting their tooling and infrastructure imposes meaningful operational costs.
Source: BleepingComputer