“With these actions we deprive cybercriminals of access to infected computer systems.” That was the blunt accounting offered by Maikel Rollman of the Netherlands’ National High Tech Crime Unit after an international law enforcement sweep cleaned 14,971 WordPress sites infected with the SocGholish malware and took 106 servers and domains offline.
The takedown: NHCTU, RCMP, FBI and BKA remove 14,971 infections
The operation was carried out by authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA), and was supported by Europol and Eurojust as part of Operation Endgame. According to the agencies, the Dutch police removed the malware and backdoors from 14,971 compromised WordPress websites while global partners took 106 servers and domains offline.
The Dutch agency advised site owners to change credentials, enable multi‑factor authentication, delete any unknown WordPress accounts, and keep their WordPress site up‑to‑date. Rollman framed the action in public terms: “This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware.”
SocGholish: delivery, aliases, and payloads
The malware at the center of the takedown is the SocGholish JavaScript-based downloader, also tracked as FakeUpdates and GhoLoader. According to the account released today, SocGholish has been used in attacks since at least 2017 and operates by hijacking legitimate websites—primarily WordPress sites—and tricking visitors into downloading malicious payloads commonly disguised as fake browser updates.
When a user installs the malicious update, the malware “opens a connection to the attackers, giving them access to the infected system.” The campaign has been a delivery vehicle for a range of other malware families named by investigators, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.
Operation Endgame: previous takedowns and continuity
The SocGholish disruption is a continuation of Operation Endgame, a broad law enforcement initiative that has targeted botnets and ransomware infrastructure. In November, agencies behind Operation Endgame said they took down over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet operations. Earlier actions under the operation hit ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and multiple major malware operations named in the announcement—DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
What this means for website owners, security teams, and cybercriminals
- Website owners and administrators: Follow the Dutch police guidance—change credentials, enable multi‑factor authentication, remove unknown WordPress accounts, and ensure WordPress core and plugins are current. The public remediation carried out by investigators removes active backdoors, but owner remediation is required to prevent reinfection.
- Security teams and defenders: The disruption removes a large distribution channel for SocGholish, reducing immediate exposure to follow-on payloads such as Dridex and Doppelpaymer. Detection and response teams should verify logs for signs of prior compromise, and confirm that compromised hosts are no longer calling the now‑offline servers.
- Cybercriminals and infrastructure operators: Law enforcement action has degraded an established delivery chain. As Rollman put it, “This marks the beginning of further action against SocGholish,” signaling continued pressure on the infrastructure that enables these infections.
The coordination that produced the cleanup underscores how investigators are treating web‑based droppers and their hosting infrastructure as law‑enforcement targets on par with traditional botnets and ransomware servers. By removing access to compromised sites and de‑hosting control infrastructure, authorities say they have reduced the risk those systems pose to citizens, businesses and essential societal processes. Whether the action disrupts operators long enough to force a durable change in tactics—or simply to move infections and hosting elsewhere—remains the operational question the agencies themselves flagged when they called this “the beginning of further action against SocGholish.”
