Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites.

"With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said.

"This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish."

The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024.

As part of the effort, 106 servers linked to SocGholish have been taken down and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.

Active since 2017 and also known as FakeUpdates, SocGholish is a JavaScript (JS)-based downloader malware that typically serves as a conduit for next-stage malware from various threat actors like Evil Corp (aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).

"The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage," the U.S. Federal Bureau of Investigation's (FBI) Cyber Division said in a post shared on LinkedIn.

It's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software. The operators of the malware have been tracked under various aliases, such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569 and UNC1543.

"SocGholish infections typically originate from compromised websites that have been infected in multiple different ways," Silent Push noted in an analysis of the malware last year. "Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the related injection."

In November 2025, Arctic Wolf revealed that SocGholish was being used by the RomCom threat actors to deliver the Mythic Agent, highlighting the use of the initial access broker's services by a broad range of actors with varied motivations.

| IP-geolocated SocGholish compromised WordPress sites per country |

Orange Cyberdefense said it has observed SocGholish infections delivering loaders like Gholoader (another JavaScript-based loader) and MintsLoader, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.

"SocGholish uses a layered delivery model and has been observed enabling multiple categories of follow-on payloads," the cybersecurity company said, adding the threat actor also collaborates with traffic distribution system (TDS) operators like TA2726.

TDS is a technology used to route site visitors to different destinations based on different factors. This can range from compromised or fake login websites hosting phishing pages to bogus sites that prompt users to download software updates containing malware, which can then obtain access to victim networks for ransomware or other financial scams.

"Cybercriminals use TDS to bypass traditional firewall rules that would otherwise block connections to malicious websites, and to analyze potential victims for targeting by collecting their IP address, operating system, location, device, and browser information," the FBI said. "After driving users to a TDS, often through various social engineering techniques, cybercriminals can exploit users' devices at the end of the TDS redirection chain by delivering phishing pages, financial scams, and other malware."

Many of the compromised WordPress instances have been modified to include criminal infrastructure operated by SocGholish, according to the Shadowserver Foundation. The vast majority of the hacked sites were located in the U.S., followed by Germany, France, India, Brazil, Singapore, Italy, Indonesia, Canada, and Vietnam.

"The abuse also includes the use of a process known as 'Domain Shadowing,'" the non-profit said. "This is a technique where a threat actor gains access to the authoritative DNS provider or registrar account panel for a legitimate domain, and uses their access to quietly create additional subdomains beneath the main ('apex') domain."

"These malicious subdomains are often given common host names that hide in plain sight and blend in with the domain owner's legitimate DNS infrastructure, but will point to criminal-operated external malicious infrastructure – effectively piggybacking on a domain's established reputation and making it harder for defenders to easily detect or block illicit activity."

| A simplified view of affiliates that drive potential victims to SocGholish |

What's more, the infected websites are frequently exploited by multiple threat actors, exposing unsuspecting site visitors to a sophisticated cluster of potential threats. The malicious behavior exhibited by these sites is dictated by various crucial factors, including the user's country of origin, the type of browser being used, and the underlying operating system.

"TA569 indiscriminately compromises websites and is opportunistic, although sites with higher traffic numbers lead to more victims," Proofpoint said. "The actor has also compromised websites in virtually every industry, from nonprofits and schools, to healthcare and hospitals, to legal and real estate organizations."

DNS threat intelligence firm Infoblox described SocGholish as a multi-stage JavaScript framework that converts compromised websites into drive-by download malware delivery vehicles. The framework is enabled by four main steps: traffic acquisition, traffic filtering, payload lures, and on-device implant execution.

"TA569 compromises a very large number of websites themselves," it said. "But they also accept traffic from affiliates. It's a classic commercial relationship: when a user visits the site, the affiliate typically fingerprints them and then passes potential victims to SocGholish through an embedded link. In return, the affiliate will be paid for these 'leads.'"

Some of the prominent affiliates that have sold traffic to the SocGholish framework over the years include TA2726, Parrot TDS, and JunkyTDS. Threat actors have also employed commercial offerings like Keitaro and zTDS to filter traffic for redirection to SocGholish, or sending them to the original website or any other content if the visitor to the compromised site does not match the criteria.

Data from Infoblox shows that approximately 55% of its cloud customers attempted to reach SocGholish infrastructure this year alone, with the attacks targeting almost "every industry sector" over the past five months. Some of the most targeted verticals included government, education, banking, healthcare, non-IT services, financial services, IT consulting, utilities, insurance, and transportation.

"This distribution [...] reinforces that SocGholish is not a niche threat limited to one vertical," the company said. "Instead, its large-scale webinject and TDS ecosystem reaches into both public-sector and commercially important environments, making it a broadly relevant threat across our customer base."