A multinational law enforcement effort has disrupted one of the largest malware distribution networks targeting WordPress sites. The operation, conducted under the umbrella of Operation Endgame, removed SocGholish malware from nearly 15,000 compromised websites and took offline more than 100 servers linked to the Russian cybercrime group Evil Corp. Authorities from the Netherlands, Canada, the United States, and Germany collaborated in the takedown, which marks a significant blow to a malware family active since at least 2017.
What happened
On 18 June 2026, law enforcement agencies announced the results of a coordinated action against the SocGholish botnet, a JavaScript-based malware downloader also known as FakeUpdates and GhoLoader. The Dutch National High Tech Crime Unit (NHCTU) led the technical effort to clean 14,971 infected WordPress sites, while authorities in the U.S., Canada, and Germany took down 106 servers and domains used to control the botnet. The operation was supported by Europol and Eurojust, reflecting the cross-border nature of the threat.
SocGholish operates by hijacking legitimate WordPress sites and injecting malicious code that tricks visitors into downloading fake browser updates. Once installed, the malware establishes a connection to attackers, allowing them to deploy additional payloads, including ransomware and banking trojans. The malware has been linked to multiple high-profile cybercrime campaigns, including the distribution of Dridex, Doppelpaymer, and WastedLocker ransomware.
Background: SocGholish is a JavaScript-based malware downloader that has been active since at least 2017. It primarily targets WordPress sites, which are widely used for business and personal websites. The malware is often distributed through compromised plugins or themes, and it tricks users into downloading malicious updates by mimicking legitimate software prompts. Evil Corp, the Russian cybercrime group behind SocGholish, has been active since 2007 and is known for its involvement in high-profile ransomware attacks.
Why it matters
The takedown of SocGholish represents a significant disruption to Evil Corp’s operations, which have long relied on the malware to distribute ransomware and other malicious payloads. By removing the malware from nearly 15,000 sites, law enforcement has not only reduced the immediate threat to visitors but also weakened the group’s ability to launch future attacks. The operation also highlights the growing collaboration between international agencies to combat cybercrime, particularly when it involves infrastructure hosted across multiple jurisdictions.
For website owners, the operation serves as a reminder of the importance of securing WordPress installations. The Dutch police advised affected site owners to change credentials, enable multi-factor authentication, remove unknown user accounts, and ensure their sites are updated to the latest version. Failure to do so could leave sites vulnerable to reinfection or exploitation by other threat actors.
What to watch
While the operation has dealt a blow to SocGholish, law enforcement has indicated that this is only the beginning of further actions against the malware and its operators. Maikel Rollman of the NHCTU stated that the takedown "marks the beginning of further action against SocGholish," suggesting that additional measures may be taken to dismantle the remaining infrastructure. Security researchers will likely monitor the botnet’s activity closely to assess whether the group attempts to rebuild or shift to alternative distribution methods.
Operation Endgame, the broader initiative under which this action was conducted, has previously targeted other major malware operations, including Rhadamanthys, VenomRAT, and Elysium. The operation’s focus on disrupting infection chains and botnet infrastructure underscores a strategic shift in law enforcement’s approach to combating cybercrime, prioritizing the dismantling of distribution networks over individual arrests.
For professionals: Website administrators, particularly those managing WordPress sites, should audit their installations for signs of compromise, such as unknown user accounts or unauthorized code changes. Enabling multi-factor authentication and keeping plugins and themes updated are critical steps to prevent infection. Security teams should also monitor for indicators of compromise (IoCs) associated with SocGholish, as the malware may resurface through new domains or servers.
Automated pipeline · Security
Synthesized from 1 industry feed on 18 Jun 2026. Passed independent editor verification (score 85/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — New story No recent article covers the law enforcement takedown of SocGholish-infected sites tied to Evil Corp.
- Checking for duplicates — New story pre_write:; No recent or in-pipeline article covers this specific law enforcement action against SocGholish/Evil Corp.
- Writing the article — Draft created article_id=153 slug=police-dismantle-socgholish-botnet-infecting-15-000-wordpress-sites
-
Editor review — Approved
- Score: 85/100
- Factual grounding: The draft states 'On 18 June 2026' as the announcement date, which matches the source publication date and reference date. However, the source does not explicitly state the announcement occurred on that date—it only says the press release was published 'today' (resolved to 18 June 2026). While this is likely correct, the phrasing could imply a stronger certainty than the source supports. Omit the specific date or clarify it is the publication date of the announcement.
- Quote integrity: The quote attributed to Maikel Rollman ('marks the beginning of further action against SocGholish') is verbatim from the source, but the draft omits the preceding sentence from the source quote, which provides additional context. While the meaning is preserved, the truncation could be seen as altering the original emphasis. Ensure blockquotes are exact or paraphrase without quotation marks.
- Style compliance: The standfirst ('A multinational operation removed malware from nearly 15,000 compromised WordPress sites linked to the Russian cybercrime group Evil Corp.') is slightly redundant with the opening sentence of the body. Standfirst should avoid repeating the headline or first paragraph
- it should complement them with a concise summary or angle.
- No copied phrasing: The Background block closely mirrors the source's phrasing (e.g., 'JavaScript-based malware downloader that has been active since at least 2017' vs. source's 'JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017'). While facts are correct, the structure and wording are too similar. Rewrite to avoid echoing the source.
- Style compliance: The article uses two optional blocks (Background and For professionals), which is permitted, but the Background block could be omitted since its content is largely restated in the main body. Reserve optional blocks for unique, non-redundant context.
- Generating reader Q&A — Generated 4 items
- Assigning hero image — Pexels pexels_id=2924099 q=Europol headquarters
- Linking related stories — Linked 5 relations from 115 candidates
- Linking related stories — Linked 5 relations from 116 candidates
- Publishing — Published police-dismantle-socgholish-botnet-infecting-15-000-wordpress-sites
- Mastodon — Posted https://mstdn.social/@hostingpaper/116771735608461883
Discussion · coming soon
Be the first to join the thread when community discussion launches.