Emergency: 112
Non-emergency: 0900-8844

International law enforcement initiate hunt on malware group SocGholish

In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.

SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.

Maikel Rollman, National High Tech Crime Unit: 'With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.'

14.971 websites remediated and disruption of the SocGholish botnet

In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.

Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

  • Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
  • Disabling the SocGholish botnet by taking over domain names and taking servers offline.
  • Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

Call to all WordPress website owners

The Dutch police have removed backdoors and malware from the infected WordPress sites. The owners of these sites have been informed. They are urged to:

  • change their login credentials;
  • enable multi‑factor authentication;
  • delete any unknown additional WordPress accounts;
  • keep their WordPress site up‑to‑date in the future.

Do you also have a WordPress website? Prevent yourself from becoming a victim in the future by applying these security steps.

Prevent your computer from being infected by SocGholish malware

SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. Whit this so-called initial access, even more dangerous software can then be installed.

Tips to prevent infection:

  • Never trust pop‑ups that appear in your browser.
  • Do not trust updates that are overly flashy and scream for immediate action.
  • Ensure your virus scanner is updated and leave it enabled during the installation of new software.
  • A genuine update always comes from the official source, for example via your system settings or the app store.

SocGholish malware and Evil Corp

SocGholish has been a constant threat since 2017 and is used to install malware on users, including various ransomware strains that have been employed to attack critical infrastructures. This has resulted in many victims. This is primarily done by hacking websites built with WordPress and infecting them with malware.

SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.

About Operation Endgame

These actions are part of Operation Endgame. Launched in 2024, Operation Endgame is the largest international operation ever undertaken to combat ransomware and cybercrime worldwide. Operation Endgame brings together law enforcement and judicial authorities from The Netherlands, Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom and Canada, with support from Europol and Eurojust. Together, they work in close coordination across borders to disrupt cybercriminal networks.

Private parties are also closely involved in Operation Endgame. 'The investigative services and the cybersecurity sector need each other greatly to make the digital world as safe as possible and to keep it that way,' says Maikel Rollman (NHTCU). 'That is why we work intensively together with public and private parties. Operation Endgame is a good example and we will continue to work this way in the future.'

For information on the partners and actions of Endgame, visit operation-endgame.com.

 

Share: