"With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said, framing the recent international disruption as both an immediate strike and the start of more work to come.
Operation Endgame: coordinated takedown across four countries
Dutch law enforcement, together with counterparts from Canada, Germany, and the U.S., executed a coordinated action under Operation Endgame — an international law enforcement initiative launched in 2024 to combat botnets and related criminal infrastructure. As part of that effort, authorities took down 106 servers linked to SocGholish and removed infections from 14,971 WordPress sites. Website owners have been notified to update their content management system (CMS), change credentials, and delete any suspicious accounts.
SocGholish: long-running, JavaScript-based downloader with many collaborators
Active since 2017 and also known as FakeUpdates, SocGholish is a JavaScript-based downloader that delivers follow-on malware from a range of threat actors. The framework has been observed distributing next-stage payloads associated with Evil Corp (aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak). In November 2025 Arctic Wolf reported SocGholish was used by the RomCom actors to deliver the Mythic Agent.
Orange Cyberdefense said it has observed SocGholish infections delivering loaders such as Gholoader and MintsLoader that in turn lead to payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT. "SocGholish uses a layered delivery model and has been observed enabling multiple categories of follow-on payloads," the cybersecurity company said.
Delivery mechanics: injections, TDS affiliates, and domain shadowing
Analysts describe SocGholish as a multi-stage framework that converts compromised websites into drive-by download vehicles. Silent Push explained that "SocGholish infections typically originate from compromised websites that have been infected in multiple different ways," including direct injections and intermediary JavaScript files. Infoblox summarized the framework as operating through four main steps: traffic acquisition, traffic filtering, payload lures, and on-device implant execution.
The ecosystem relies heavily on traffic distribution systems (TDS) and affiliates. Infoblox and Orange Cyberdefense identified affiliates and TDS operators such as TA2726, Parrot TDS, and JunkyTDS; commercial offerings like Keitaro and zTDS have been used to filter traffic. Infoblox added that affiliates typically fingerprint visitors and pass "leads" to SocGholish in return for payment.
The Shadowserver Foundation detailed another abuse method: "The abuse also includes the use of a process known as 'Domain Shadowing,'" where attackers create malicious subdomains under legitimate domains to piggyback on their reputation and evade detection.
Geography, targets, and scale: who was affected
Shadowserver reported the vast majority of the hacked WordPress sites were in the U.S., followed by Germany, France, India, Brazil, Singapore, Italy, Indonesia, Canada, and Vietnam. Infoblox data showed roughly 55% of its cloud customers attempted to reach SocGholish infrastructure this year alone, and that attacks over the past five months targeted almost "every industry sector."
Infoblox listed the most targeted verticals as government, education, banking, healthcare, non-IT services, financial services, IT consulting, utilities, insurance, and transportation. Proofpoint emphasized TA569's breadth, saying "TA569 indiscriminately compromises websites and is opportunistic, although sites with higher traffic numbers lead to more victims," and noting compromises in nonprofits, schools, healthcare and hospitals, legal, and real estate organizations.
What this means for website owners, security teams, and affected industries
- Website owners: Authorities explicitly instructed notified owners to update their CMS, change credentials, and remove suspicious accounts — steps aimed at closing the immediate infection vector left by the cleaned WordPress instances.
- Security operations teams: The layered delivery model and the use of TDS affiliates means defenders must watch for chained, multi-stage infections and post-exploitation loaders such as Gholoader and MintsLoader that lead to a diverse set of payloads.
- Affected industries (government, healthcare, finance): The broad sector targeting reported by Infoblox and the multi-actor follow-on threats underscore persistent exposure even when an initial cleanup occurs; organizations in the named verticals will need to assume they may be targeted by multiple actors leveraging the same compromised web infrastructure.
Maikel Rollman framed the action in both practical and strategic terms: the takedown "prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware" and "reduces the risk that these systems are used for cyber attacks on critical infrastructure and other essential societal processes." He added that the disruption "marks the beginning of further action against SocGholish."
The operation removed a large slice of SocGholish's visible infrastructure and cleaned nearly 15,000 compromised sites, but the public record in this release also documents a resilient, multi-party ecosystem: JavaScript loaders, traffic distributors, affiliates, and domain-level abuse. The immediate wins are clear; the hard work will be sustaining those gains as the actors and their commercial services adapt.
