14,971 WordPress Sites Cleaned in Global SocGholish Takedown

Pierluigi Paganini
June 19, 2026

Operation EndGame disrupted SocGholish, taking down 106 servers and cleaning 14,971 WordPress sites used to spread fake-update malware.

On June 18, 2026, law enforcement agencies from the Netherlands, Canada, the United States, and Germany, coordinated through Europol, executed a joint action week against SocGholish, one of the most persistent and widely deployed malware distribution networks on the internet.

The Operation EndGame took down over 100 servers and domains and removed infections from 14,971 compromised WordPress websites. Proofpoint, which has tracked the group behind SocGholish since 2018, provided intelligence to support the law enforcement actions.

“In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.” reads the press release.

“Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

• Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
• Disabling the SocGholish botnet by taking over domain names and taking servers offline.
• Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).”

SocGholish, also known as FakeUpdates, is operated by a threat group Proofpoint tracks as TA569. The technique is elegantly simple and devastatingly effective: compromise a legitimate website, inject malicious JavaScript, and when a visitor arrives and passes a set of filtering checks, overwrite the entire page with a convincing fake browser update prompt.

“TA569 is one of the most prominent cybercriminal threat groups in Proofpoint threat data, which our researchers have tracked since 2018.” reads Proofpoint’s report. “TA569’s SocGholish inject activity has been linked to major ransomware families and criminal syndicates.”

Those families include WastedLocker, LockBit, and RansomHub. TA569 acts as an initial access broker, and public reporting has linked it to Evil Corp, the Russian cybercriminal group whose members have been sanctioned multiple times by Western governments.

The scale of the problem before the takedown was substantial. In May 2026, ShadowServer found more than 1.44 million compromised WordPress websites available for use by SocGholish. Infoblox reported that approximately 55% of cloud customers had been exposed to SocGholish this year.

“The outcomes included:

• 14,971 compromised legitimate WordPress sites infected with SocGholish malware remediated” reads the report by ShadowServer.
• 106 servers and domains taken down worldwide, disrupting the SocGholish botnet”

TA569 compromised sites across virtually every sector: nonprofits, schools, hospitals, legal firms, real estate companies, and major media and retail portals visited by millions of users daily.

Getting into those sites is less spectacular than it sounds. TA569 and its partners gain access through password spraying, stolen or reused credentials, vulnerabilities in WordPress plugins and themes, and weaknesses in third-party dependencies.

“These attacks often target outdated components, but they are not limited to known vulnerabilities. Attackers may also exploit zero-days, abandoned plugins, custom templates, or third-party dependencies that are no longer maintained. In some cases, plugin or theme developers may not realize that underlying libraries or bundled components used by their products also need security updates.” continues Proofpoint. “This can leave sites exposed even when the CMS core appears to be current.”

Once inside, the operator establishes persistence through multiple mechanisms: added admin accounts, PHP backdoors placed outside the CMS directory structure, and fake plugins with benign-sounding names that hide themselves from the WordPress admin interface. Cleaning up visible malware without finding the persistence mechanism is a common mistake that results in reinfection within days.

The delivery chain has grown more sophisticated over time. In the current configuration, TA569 works with TA2726, which operates a malicious version of the Keitaro traffic distribution service (TDS). TA2726 injects highly obfuscated JavaScript into compromised sites via a fake WordPress plugin, which eventually loads the SocGholish code. Stage 1 of SocGholish then profiles the visitor: it checks for automated browsers, open developer tools, prior visits to the fake update page, and WordPress admin sessions. It also waits for the mouse to move at least ten times before proceeding. If the visitor passes all checks, the malware overwrites the entire page.

“Even though the download button might look basic, it’s actually advanced. Clicking it sends a ”postMessage” to a separate hidden iframe that was loaded from a “data:” URI. That iframe fetches a script from the TA569 C2 which contains the file “Google Launcher.js” (GhoLoader Stage 1, C2: “js-new[.]newtoyourgame[.]com”) as an embedded base64 blob, constructs it client-side via “URL.createObjectURL()”, and triggers the download.” continues the report. “This means the downloaded file originates from a “blob:” URL with no direct network download trace pointing to a malicious JavaScript file. Sandboxes that simply “.click()” the button without proper cross-frame message handling will never trigger the download at all.”

The downloaded file is GhoLoader Stage 1, a WSH JScript that communicates with its C2 and executes the response. Sandboxes that simply click the button without handling cross-frame messages won’t trigger the download at all.

Orange Cyber Defense’s CERT observed SocGholish delivering loaders, including GhoLoader and MintsLoader that led to GhostWeaver PowerShell backdoor, LockBit and RansomHub ransomware, and AsyncRAT and NetSupport RAT. The Dutch police noted that notifications were also sent to WordPress site owners whose compromised credentials were identified in the operation, urging them to change logins, enable MFA, delete suspect accounts, and update their software.

The operation will have a significant impact, but it won’t end the web inject problem. TA569 may be, as Proofpoint put it, the originator of the technique, but the web inject space has expanded well beyond a single actor.

“What went from being a technique only used by a handful of threat actors – popularized and innovated by TA569 – web injects have become a common technique used by numerous threat clusters beyond the TA569 ecosystem including ClearFake, ZPHP, and ErrTraffic.” concludes the report.

Proofpoint tracks nearly a dozen distinct threat clusters running web inject campaigns, and the technique has been rising consistently since 2023. TA2726, the TDS provider that funneled traffic for TA569, was not directly targeted in the operation and will continue operating. Its traffic currently also serves TA2727, which delivers different payloads to MacOS users, including FrigidStealer.

For WordPress administrators, the Dutch police and Proofpoint both published concrete remediation steps: enable MFA for all admin accounts, restrict wp-admin access by IP allowlist, remove unused plugins and themes, block PHP execution in the uploads directory, enable file integrity monitoring, and assume that if a site was previously infected, the credentials used to access it are compromised.

Cleaning only the injected code while leaving stale admin accounts and unchanged passwords is not remediation. It’s just delay.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon