15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown

Law enforcement agencies in four countries, working with Europol and private partners, have disrupted SocGholish infrastructure and cleaned up nearly 15,000 infected WordPress websites.

Active since 2017 and also known as FakeUpdates, SocGholish is a malware framework injected into websites running popular content management systems, such as WordPress, Joomla, and Drupal, either via known vulnerabilities or stolen credentials.

The framework acts as a JavaScript-based dropper, deploying various malware families as part of drive-by downloads, including ransomware, banking trojans, spyware, and more, and has been one of the most used loaders for years.

SocGholish is operated by a Russian-speaking threat actor tracked as DEV-0206, Gold Prelude, Mustard Tempest, TA569, and UNC1543, which acts as an initial access broker and has been associated with the infamous Evil Corp gang (believed to be linked to Russian intelligence).

TA569 has been observed indiscriminately compromising websites to inject the SocGholish loader, including prominent media and retail portals visited by millions of users daily.