SocGholish Malware Network Disrupted as Operation Endgame Cleans Nearly 15,000 WordPress Sites
6 min. read 
Published on
International law enforcement agencies have disrupted the SocGholish malware network, taking 106 servers and domains offline and cleaning 14,971 infected websites. The action was announced by the Dutch police as part of Operation Endgame, the ongoing global campaign against botnets and cybercrime infrastructure.
SocGholish, also known as FakeUpdates, has long used hacked legitimate websites to push fake browser update prompts. When visitors install the fake update, attackers can gain initial access to the victim’s system and deliver more dangerous malware.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The operation involved authorities from the Netherlands, Canada, the United States, and Germany, with support from Europol and Eurojust. It also included victim notification and cleanup work for compromised WordPress site owners.
What happened in the SocGholish takedown?
The Operation Endgame action targeted the infrastructure that helped SocGholish turn legitimate websites into malware delivery points. Authorities said the botnet was disrupted by taking over domain names, taking servers offline, and removing malicious code from infected WordPress sites.
The official announcement said 14,971 websites were remediated. These included everyday service websites, such as restaurants and auto garages, showing how the campaign abused ordinary trusted sites rather than only high-profile targets.
| Action | Confirmed detail |
|---|---|
| Infrastructure disrupted | 106 servers and domains taken down worldwide |
| Websites remediated | 14,971 infected websites cleaned |
| Main infection route | Compromised legitimate websites showing fake update prompts |
| Agencies involved | Netherlands NHTCU, Canada RCMP, U.S. FBI, Germany BKA, Europol, and Eurojust |
Why SocGholish matters
SocGholish is listed by MITRE ATT&CK as a JavaScript-based loader malware used since at least 2017. Its main role is initial access, which makes it valuable to ransomware groups and other cybercriminal operators.
Proofpoint said SocGholish activity is tied to TA569, a threat actor known for using website injections and traffic filtering systems to send selected visitors to fake update pages. That model helped make fake update lures common across the wider malware ecosystem.
The danger comes from what happens after the fake update runs. SocGholish can open the door for remote access tools, information stealers, credential theft, and ransomware activity.
WordPress sites were a major target
WordPress remained central to the campaign because of its enormous reach. WordPress says its software powers more than 43% of the web, which gives attackers a huge pool of sites to target when credentials, plugins, themes, or hosting accounts are exposed.
Authorities said login credentials from 1.4 million websites had been leaked, leaving many sites vulnerable to compromise. Once attackers gain access to a site, they can inject JavaScript, create hidden backdoors, or add unauthorized accounts to keep control.
The Dutch police said infected site owners were notified through several channels, including Have I Been Pwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation, and NCSC Netherlands.
How the fake update attack works
SocGholish does not usually start with a suspicious email attachment. Instead, a victim may land on a legitimate website that has already been compromised.
If the visitor matches the attackers’ targeting checks, the site displays a fake browser or software update prompt. The fake message tries to convince the user to download and run a malicious file.
The MITRE profile for SocGholish links the malware to drive-by compromise, JavaScript execution, system discovery, and follow-on malware delivery.
- A legitimate website is compromised.
- Malicious JavaScript is injected into the site.
- Visitors are filtered by browser, location, device, or other checks.
- Selected users see a fake browser update page.
- The downloaded file gives attackers initial access.
- Other malware or ransomware can follow.
What WordPress site owners should do now
Website owners should not assume cleanup ends the risk. Attackers often add persistence, which can include hidden backdoors, new admin accounts, or malicious plugin files.
Proofpoint’s analysis warns that attackers can gain access through leaked or reused credentials, CMS flaws, vulnerable plugins, abandoned themes, hosting weaknesses, and third-party services.
Owners of affected or potentially exposed websites should take these steps:
- Change all WordPress, hosting, FTP, database, and administrator passwords.
- Enable multi-factor authentication for all administrator accounts.
- Remove unknown WordPress users and suspicious administrator accounts.
- Update WordPress core, plugins, themes, and server-side components.
- Check plugin folders, theme files, and uploads for unfamiliar PHP or JavaScript files.
- Review access logs for strange login activity or unauthorized file changes.
- Use a security scanner and consider a manual review if the site handled customer data.
How users can avoid SocGholish-style fake updates
Users should treat browser pop-ups demanding urgent software updates as suspicious. Modern browsers and operating systems update through built-in settings, official app stores, or direct vendor websites.
WordPress.org highlights how widely the platform is used, but the same basic warning applies to any website. A familiar site can still be compromised and used to show a malicious update prompt.
| Warning sign | Safer action |
|---|---|
| A website says your browser is outdated | Close the page and check updates from browser settings |
| A download starts from a random pop-up | Delete the file and do not run it |
| The message creates urgency | Pause and verify through the official vendor site |
| A file arrives as a JavaScript or archive file | Do not open it unless the source is fully trusted |
Operation Endgame is still expanding
Operation Endgame launched in 2024 and has grown into a continuing international effort against botnets, loaders, and criminal access services. The SocGholish action shows that authorities are targeting the early stages of cyberattacks, not only the ransomware groups that appear at the end.
For site owners, the takedown reduces immediate exposure but does not remove the need for stronger security. For users, the main lesson remains simple: never install software updates from unexpected web pop-ups.
People who receive a Have I Been Pwned notification linked to exposed credentials should change affected passwords immediately and enable two-factor authentication wherever possible.
FAQ
Authorities disrupted SocGholish infrastructure as part of Operation Endgame. They took 106 servers and domains offline and cleaned 14,971 infected websites.
Yes. SocGholish is also known as FakeUpdates because it commonly uses fake browser or software update prompts to trick users into running malware.
Official law enforcement wording says 106 servers and domains were taken down worldwide. It does not confirm 106 servers plus 101 separate domains.
They should change all login credentials, enable multi-factor authentication, remove unknown administrator accounts, update WordPress core, plugins, and themes, and scan the site for backdoors or injected scripts.
Users should not install updates from browser pop-ups or unexpected website messages. Browser and software updates should come from built-in settings, official app stores, or trusted vendor websites.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages