In a landmark operation against one of the cybercrime world’s most enduring threats, international law enforcement agencies have dismantled the criminal infrastructure behind SocGholish — also known as FakeUpdates — seizing 106 servers and 101 domains and remediating nearly 15,000 infected websites across the globe. The takedown was executed under the umbrella of Operation Endgame, widely regarded as the largest coordinated international action ever conducted against ransomware enablement and cybercrime infrastructure.
What Is SocGholish?
SocGholish is a sophisticated JavaScript-based malware framework that has been active since at least 2017. Unlike traditional malware distributed via spam emails, SocGholish operates by compromising legitimate, trusted websites — predominantly those running WordPress — and injecting malicious JavaScript code that displays convincing fake browser update prompts to unsuspecting visitors.
When a visitor is tricked into downloading what appears to be a routine browser update, they instead execute a malware loader that establishes a backdoor connection to attacker-controlled infrastructure. This access is then used to deploy a range of secondary payloads including:
- Remote Access Trojans (RATs)
- Information stealers
- Cobalt Strike beacons for advanced persistent access
- Ransomware strains targeting critical infrastructure
The Center for Internet Security (CIS) has consistently identified SocGholish as the top malware downloader globally, accounting for approximately 60% of all such attacks. Its longevity and effectiveness are attributed to its abuse of legitimate websites, which allows it to bypass reputation-based defenses.
The Operation: A Global Law Enforcement Effort
The takedown was the result of coordinated action between multiple national agencies. Law enforcement from the Netherlands (NHTCU), Canada (RCMP), the United States (FBI), and Germany (BKA) — supported by Europol and Eurojust — conducted a joint action week that targeted SocGholish’s botnet infrastructure at its core.
“With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide,” stated Maikel Rollman of the NHTCU. “This marks the beginning of further action against SocGholish.”
Authorities confirmed that 14,971 websites — ranging from restaurants to auto-garages — were actively infected and have been fully remediated. Importantly, investigators also discovered that login credentials from 1.4 million WordPress sites had been leaked and were being leveraged to facilitate new infections, underscoring the scale of WordPress’s exploitation as an attack vector.
Links to Evil Corp and Russian Cybercrime
SocGholish has well-established ties to Evil Corp, a notorious Russian cybercriminal organization previously responsible for the Zeus and Dridex banking malware campaigns, and implicated in multiple large-scale ransomware operations and money-laundering schemes. Evil Corp has faced U.S. Treasury sanctions, and this takedown represents a further blow to the group’s operational capabilities.
What Happens to Infected Website Owners?
Dutch police have taken an unusually proactive approach by actively removing backdoors and malware from all identified infected WordPress sites. Notifications are being sent to affected website owners through major platforms including HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation, and NCSC Netherlands.
Affected website owners are strongly urged to take the following immediate steps:
- Change all WordPress admin credentials immediately
- Enable multi-factor authentication (MFA) on all accounts
- Delete any unknown or unauthorized WordPress admin accounts
- Update WordPress core, all plugins, and themes to their latest versions
- Conduct a full malware scan and review injected JavaScript in theme files
Protecting Against Fake Update Attacks
End users are the last line of defense against SocGholish-style attacks. Key protective behaviors include never clicking unsolicited browser pop-ups demanding software updates, always downloading updates exclusively from official system settings or vendor websites, and keeping antivirus software active and current. Legitimate software updates never use alarmist, high-pressure messaging demanding immediate action in a browser window.
Operation Endgame Continues
Law enforcement agencies have made clear that this action is not the end of Operation Endgame, but rather a continuation of escalating enforcement pressure. Investigators are signaling that further targeted actions against SocGholish operators and their affiliated networks are actively being planned. This takedown follows earlier Endgame actions that dismantled multiple other major malware distribution networks, demonstrating that international cooperation in cybercrime enforcement is reaching unprecedented levels of effectiveness.