Operation Endgame Disrupts SocGholish Malware Infrastructure and Cleans 14,971 Sites
International law enforcement agencies disrupted the SocGholish malware operation, taking 106 servers and domains offline and remediating 14,971 compromised websites as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, targeted infrastructure tied to TA569, the threat actor widely associated with SocGholish, also known as FakeUpdates and GhoLoader. The campaign relied on compromised legitimate websites—especially WordPress and other CMS platforms—to display fake browser update prompts that tricked visitors into installing malware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
HIBP adds Operation Endgame 4.0 breach data
On 2026-06-18, Have I Been Pwned added an Operation Endgame 4.0 breach entry after authorities supplied data from the SocGholish takedown. The dataset contained 154,000 impacted email addresses and more than 500,000 previously unseen passwords.
Shadowserver issues special report for affected WordPress site owners
On 2026-06-18, Shadowserver published a one-off special report tied to the SocGholish Operation Endgame action to notify affected WordPress site owners. The report included remediation guidance such as changing credentials, enabling MFA, removing unauthorized accounts, and patching WordPress and plugins.
Operation Endgame disrupts SocGholish infrastructure
On 2026-06-18, law enforcement agencies from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, announced a coordinated disruption of TA569/SocGholish as part of Operation Endgame. The action took 106 servers and domains offline and remediated 14,971 compromised websites tied to the malware operation.
Proofpoint begins tracking TA569/SocGholish activity
Proofpoint states it has tracked TA569 since 2018, identifying it as a major operator using compromised websites and fake browser update lures to deliver SocGholish and related payloads.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites
thehackernews.com
Open source14,971 WordPress Sites Cleaned in Global SocGholish Takedown
securityaffairs.com
Open source15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown - SecurityWeek
securityweek.com
Open sourcePolice raid malware network tied to Russia's Evil Corp hacker group | The Record from Recorded Future News
therecord.media
Open sourceInternational law enforcement initiate hunt on malware group SocGholish | politie.nl
politie.nl
Open sourceLaw enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned - Help Net Security
helpnetsecurity.com
Open sourceSocGholish Compromised WordPress Sites Special Report | The Shadowserver Foundation
shadowserver.org
Open sourceSayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation | Proofpoint US
proofpoint.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Endgame Disrupts SocGholish Malware Delivery Network
An Operation Endgame action disrupted the **SocGholish** malware ecosystem by remediating **14,971 compromised websites** and dismantling associated command-and-control infrastructure, according to Orange Cyberdefense. SocGholish, a JavaScript-based downloader linked to the Russian-speaking initial access broker **TA569** and also tracked as **UNC1543**, **Mustard Tempest**, and **GOLD PRELUDE**, has compromised legitimate websites since at least 2017 and used fake browser update prompts to infect visitors. The malware has frequently served as an entry point for follow-on payloads including **Gholoader**, **MintsLoader**, **GhostWeaver**, **AsyncRAT**, **NetSupport RAT**, and ransomware operations such as **LockBit** and **RansomHub**. The disruption targeted a broader cybercrime chain tied to traffic distribution services such as **TA2726**, with reporting also noting copycat activity from **TA2727** distributing **Lumma** and **DeerStealer**, as well as links into the wider financially motivated ecosystem around **Evil Corp**. Defenders were warned that TA569 is likely to rebuild because SocGholish infrastructure rotates rapidly, often every **2 to 5 days**, making continued monitoring essential. Recommended mitigations included patching internet-facing CMS platforms, strengthening credentials, enabling **MFA**, and training users to distrust unsolicited browser update pop-ups that are commonly used as infection lures.
Jun 19, 2026
SocGholish Malware-as-a-Service Platform Distributes Ransomware via Weaponized Software Updates
The SocGholish malware-as-a-service (MaaS) platform, also known as FakeUpdates, has been leveraged by threat group TA569 to distribute ransomware and information-stealing malware through weaponized software updates. Attackers compromise legitimate websites, particularly vulnerable WordPress sites, and use techniques such as domain shadowing to create malicious subdomains on trusted domains. These compromised sites are then used to deliver fake software updates, tricking users into downloading malware payloads including RansomHub and LockBit ransomware, AsyncRAT, and various infostealers. SocGholish acts as an initial access broker, selling access to its infection methods to other criminal groups, including Evil Corp and Russian state-backed actors. Recent campaigns have involved distributing RansomHub ransomware via malicious Google Ads impersonating the HR portal of Kaiser Permanente, resulting in significant breaches at organizations such as Rite Aid and Change Healthcare. The platform's ability to facilitate a range of payloads and its use by multiple threat actors underscore its ongoing threat to organizations worldwide.
Mar 21, 2026
Operation Endgame Disrupts IcedID, SmokeLoader, Trickbot and Other Malware Botnets
An international law enforcement operation dubbed **Operation Endgame** disrupted major malware delivery and botnet infrastructure tied to **IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot**, and remnants of **Bumblebee**, in what Europol and participating agencies described as the largest action of its kind against botnets. Authorities said the networks had been used to spread malware through hundreds of millions of phishing emails and to enable follow-on ransomware attacks and financial fraud, with investigators identifying several million infected computers worldwide over the past year. The coordinated action, supported by **Europol** and **Eurojust**, took down more than **100 servers**, seized over **2,000 domains**, and disinfected more than **10,000** infected systems, while additional operations across multiple countries led to arrests, interrogations, searches, and server seizures. Investigators also identified a key suspect allegedly linked to **69 million euros** in cryptocurrency proceeds, and separate reporting and research highlighted scrutiny of a **SmokeLoader** actor targeted as part of the crackdown.
May 25, 2026