[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4TS2sFLQFsjnopNjVf0iGd4wRmHxQNhxLLOC9GXwrHw":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"ac503358-9396-4159-9e09-6501521c487b","Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp","police-cleans-nearly-15-000-socgholish-infected-sites-tied-to-evil-corp-661c1b","International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group. [...]","International law enforcement agencies from the Netherlands, Canada, the US, and Germany successfully removed SocGholish malware from nearly 15,000 compromised WordPress websites and disabled 106 servers and domains as part of Operation Endgame. SocGholish, a JavaScript-based malware downloader also known as FakeUpdates and GhoLoader, has been used since 2017 to hijack legitimate sites and trick users into installing malicious payloads disguised as browser updates. The operation targeted Evil Corp, a Russian cybercrime group linked to major ransomware families including WastedLocker, Hades, and Phoenix CryptoLocker.","International law enforcement cleaned 14,971 SocGholish-infected WordPress sites and shut down 106 servers tied to Evil","Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp By Sergiu Gatlan June 18, 2026 09:25 AM 0 International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group. This joint action (supported by Europol and Eurojust) was part of Operation Endgame, a major law enforcement operation targeting cybercrime now aimed at disrupting a key infection chain linked to Evil Corp. Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline. While the Dutch police removed the malware and backdoors from the infected sites, it also advised the website owners to change their credentials, enable multi‑factor authentication, delete any unknown WordPress accounts, and keep their WordPress site up‑to‑date. \"With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,\" said Maikel Rollman, of the Netherlands' National High Tech Crime Unit. \"It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.\" The SocGholish JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates. When a user installs the malicious update, the malware opens a connection to the attackers, giving them access to the infected system. SocGholish has also been used to deploy other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult. The malware has been previously linked to Evil Corp, a Russian cybercrime gang active since 2007 that has been associated with the Zeus and Dridex malware families and was behind the WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker ransomware operations. \"This marks the beginning of further action against SocGholish,\" Rollman added in a press release published today. In November, as part of Operation Endgame, law enforcement agencies also took down over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations. Previously, Operation Endgame has also targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and various other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Ukraine identifies infostealer operator tied to 28,000 stolen accountsNew Rokarolla Android malware targets 217 banking, crypto appsSteam Workshop abused to spread malware via Wallpaper Engine appWindows version of SprySOCKS Linux malware used to attack govt orgsOptinMonster WordPress plugin hacked in CDN supply-chain attack","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Flaw-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F06\u002F18\u002Foperation-endgame.jpg","2026-06-18T13:25:47+00:00","2026-06-18T14:00:12.914995+00:00",9,[18,21,23,26,29],{"name":19,"type":20},"Evil Corp","threat_actor",{"name":22,"type":20},"Lazarus Group",{"name":24,"type":25},"Operation Endgame","campaign",{"name":27,"type":28},"WordPress","product",{"name":30,"type":31},"JavaScript malware","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":32,"icon":34,"name":35,"slug":36},null,"Malware","malware",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,57,60,63,66,68],{"type":36,"value":55,"context":56},"SocGholish","JavaScript-based malware downloader; also tracked as FakeUpdates and GhoLoader; used to hijack WordPress sites since 2017",{"type":36,"value":58,"context":59},"Dridex","Banking trojan deployed by SocGholish; linked to Evil Corp",{"type":36,"value":61,"context":62},"Doppelpaymer","Ransomware variant deployed by SocGholish",{"type":36,"value":64,"context":65},"WastedLocker","Ransomware operation attributed to Evil Corp",{"type":36,"value":67,"context":65},"Hades",{"type":36,"value":69,"context":65},"Phoenix CryptoLocker"]