Nearly 15,000 infected websites cleaned in SocGholish crackdown

We’re always happy to end the week with some positive news. A law enforcement action called Operation Endgame just delivered a major win against the long‑running SocGholish (aka FakeUpdates) operation.

SocGholish is a malware framework that has been active since at least 2017 and is best known for abusing hacked, legitimate WordPress sites to push fake browser and software updates to visitors. When a user clicks one of these convincing “update now” prompts, the malware opens a backdoor on the system, giving attackers initial access that is often used to deploy ransomware and other malicious software. The operation has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex malware, as well as major ransomware and money‑laundering schemes.

This week, Dutch police and the Public Prosecution Service, working with the Royal Canadian Mounted Police, FBI, German Federal Criminal Police Office, Europol, and Eurojust, struck directly at SocGholish’s infrastructure. As part of Operation Endgame, they took down 106 servers and domains and cleaned 14,971 infected WordPress sites that had been silently redirecting visitors into the FakeUpdates trap.

Investigators say they found exposed login credentials for around 1.4 million WordPress sites. To check whether any passwords associated with your email address have been exposed in a breach, use Malwarebytes Digital Footprint Scanner.