Scope of the disruption: 15,000 websites remediated and 106 infrastructure nodes seized
On June 18, Dutch police announced an international operation that remediated infections on roughly 15,000 compromised websites and took down 106 servers and domains associated with the SocGholish malware group. The action, conducted over the course of a week, targeted both the web infrastructure used to host malicious content and the botnet that tied infected machines together.
The takedown did not rely on a single agency. Specialist agents from the NHCTU worked jointly with the Royal Canadian Mounted Police (RCMP), the German Federal Criminal Police Office (BKA) and the US Federal Bureau of Investigation (FBI), with additional support from Europol, Eurojust and cybersecurity industry partners.
How SocGholish operated: WordPress compromise and fake update pop‑ups
According to tracking by Proofpoint — which designates the campaign TA569 — SocGholish gained access to legitimate WordPress sites either by hacking them or by using previously leaked credentials. The compromised sites were then used to deliver malicious pop‑ups to visiting users.
Those pop‑ups falsely told users that their software was out of date and prompted them to "install" what looked like an update. Users who accepted the prompt became infected and were enrolled into the SocGholish botnet, which in turn was used to distribute additional malware and deploy ransomware against subsequent targets.
Link to larger ransomware activity: regular use by Evil Corp
The disrupted SocGholish botnet was regularly used by Evil Corp, a Russia‑based ransomware and cybercrime group identified in the announcement. The statement ties SocGholish activity to the delivery of malware and ransomware by Evil Corp against a range of victims, including governments, healthcare institutions and enterprises.
Law enforcement framed the disruption as depriving those criminal actors of a distribution channel for follow‑on attacks, and as a means to limit further damage caused when infected systems are subsequently leveraged against other targets.
Remediation guidance issued to WordPress site owners
Owners of the compromised WordPress sites were notified and given specific remediation steps to secure their sites. The advisory items issued to WordPress site owners were:
- Change their login credentials
- Enable multi‑factor authentication
- Delete any unknown additional WordPress accounts
- Keep their WordPress site up‑to‑date in the future
The public notification emphasized both immediate corrective actions and longer‑term hygiene: credential rotation, removal of unauthorized accounts, and patching to close the vectors SocGholish exploited.
What this means for public sector, WordPress owners, and security teams
Public sector organizations: As industry partner Infoblox warned, SocGholish “is not a niche threat” and its activities reach deep into public sector environments; public agencies should expect follow‑on enforcement and continued attention to web platform hygiene.
WordPress site owners: Site operators have been directly advised to change credentials, enable multi‑factor authentication, delete unknown accounts and apply updates — practical steps the takedown teams say will reduce re‑infection risk.
Security teams and incident responders: By disrupting 106 servers and domains and remediating infections on an estimated 15,000 sites, law enforcement seeks to remove a widely abused delivery mechanism and limit the botnet’s ability to funnel ransomware and other malware into new victims.
The coordinated, multinational nature of the action — and Maikel Rollman’s warning that the move “marks the beginning of further action against SocGholish” — frames this as an operational setback for the group rather than an endpoint. The technical fixes and the legal takedown together blunt the immediate threat; whether attackers will reconstitute similar infrastructure or pivot to new distribution methods is the practical question left to defenders and investigators.
