INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Europol Disrupts SocGholish Servers, Cleans Malicious TDS Threat
| 2026-06-24 18:43 CRITICAL HIGHExecutive Summary AI-generated
Europol's Operation Endgame has disrupted the infrastructure behind three major malware families: SocGholish, Amadey, and StealC. These cybercrime groups have been linked to various high-profile ransomware attacks, including Zeus and Dridex, and are responsible for significant financial losses and damage to critical infrastructure worldwide. By targeting the initial access malware used in these infections, Europol has effectively crippled the ability of these groups to launch their operations. The operation's strategic significance lies in its simultaneous targeting of SocGholish, Amadey, and StealC families, which together form the opening stages of a cybercrime attack chain. This has resulted in significant disruptions to online services, including 14,971 infected websites across various sectors, making it one of the largest international operations ever undertaken against ransomware enablers worldwide.
Technical Mitigations AI-generated
• The operation targeted the infrastructure behind SocGholish, Amadey, and StealC malware families, disrupting their ability to launch ransomware, financial fraud, and attacks on critical infrastructure.
• Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and other partners.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation EndgameOperation EndgameOperation Endgame DisruptsOperation Endgame DisruptsOperation Endgame
OperationOperation Endgame
OperationOperation RiptideOperation Riptide
Indrik SpiderIndrik SpiderMustard TempestMustard Tempest
SystemBCSystemBCAzorultAzorultIcedIDIcedIDRansomHubRansomHubDridexDridexPikabotPikabotBumblebeeBumblebeeSocGholishSocGholishWastedLockerWastedLockerFakeUpdatesFakeUpdatesRaspberry RobinRaspberry RobinAmadeyAmadey
Target & Sectors
BENELUX
BENELUX
NORTH_AMERICA
NORTH_AMERICA
ASEAN
ASEAN
DACH
DACH
NORDICS
NORDICS
retailretail
governmentgovernment
technologytechnology
legallegal
educationeducation
healthcarehealthcare
transportationtransportation
Incident Timeline
at least 2017
Threat actors used SocGholish to disrupt the StealC and Amadey Malware infrastructure in Operation Endgame.
Click on any entity below to view its context and source!
malware
SocGholish
"
The
SocGholish
JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.
organisation
WordPress
"
The
SocGholish
JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.
tactic
T1059.007 - JavaScript
"
The
SocGholish
JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.
malware
FakeUpdates
"
The
SocGholish
JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.
organisation
GhoLoader
"
The
SocGholish
JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.
October 2018
Threat actors used Amadey malware to disrupt the infrastructure of StealC and Amadey Malware.
Click on any entity below to view its context and source!
malware
Amadey
Amadey has been running since October 2018 as a paid dropper service, spreading primarily through phishing campaigns.
tactic
Phishing
Amadey has been running since October 2018 as a paid dropper service, spreading primarily through phishing campaigns.
Between June 15 and 19, 2026
Threat actors used Europol's law enforcement operation to disrupt the StealC and Amadey Malware infrastructure in Operation Endgame.
Click on any entity below to view its context and source!
target_region
Canada
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
target_region
Denmark
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
target_region
Germany
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
target_region
Netherlands
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
target_region
United Kingdom
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
target_region
United States
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
attribution
Europol
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
attribution
Microsoft
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
attribution
IBM
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
attribution
Infoblox, Shadowserver
Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.
January 2023
Threat actors used Amadey Malware to target devices and StealC, a harvesting layer, to extract passwords and sensitive data from compromised machines.
May 2024
Threat actors used Europol to disrupt the StealC and Amadey Malware infrastructure in Operation Endgame.
Click on any entity below to view its context and source!
infrastructure
100 servers
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
IcedID
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
SystemBC
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
Pikabot
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
Bumblebee
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
organisation
DanaBot
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
general_metric
16 people
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
May 2025
Threat actors used Europol to disrupt the StealC and Amadey Malware infrastructure in Operation Endgame.
Click on any entity below to view its context and source!
infrastructure
100 servers
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
IcedID
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
SystemBC
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
Pikabot
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
malware
Bumblebee
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
organisation
DanaBot
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
general_metric
16 people
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
2025/06/19
SocGholish infected compromised websites through Silent Push infections.
Click on any entity below to view its context and source!
malware
SocGholish
"SocGholish infections typically originate from compromised websites that have been infected in multiple different ways," Silent Push noted in an analysis of the malware last year.
November 2025
Arctic Wolf revealed that SocGholish was used by the RomCom threat actors to deliver Mythic Agent, disrupting the StealC and Amadey malware infrastructure.
Click on any entity below to view its context and source!
malware
SocGholish
"
In November 2025, Arctic Wolf
revealed
that SocGholish was being used by the RomCom threat actors to deliver the Mythic Agent, highlighting the use of the initial access broker's services by a broad range of actors with varied motivations.
organisation
RomCom
"
In November 2025, Arctic Wolf
revealed
that SocGholish was being used by the RomCom threat actors to deliver the Mythic Agent, highlighting the use of the initial access broker's services by a broad range of actors with varied motivations.
tactic
Botnet
Later in November 2025, police shut down over 1,025 servers used by three other malware groups, terminating the core infrastructure of the
Rhadamanthys infostealer
, the
VenomRAT
remote control tool, and the Elysium botnet.
infrastructure
1,025 servers
Later in November 2025, police shut down over 1,025 servers used by three other malware groups, terminating the core infrastructure of the
Rhadamanthys infostealer
, the
VenomRAT
remote control tool, and the Elysium botnet.
January 2026
Threat actors used Europol's cyber operations to disrupt the StealC and Amadey malware infrastructure.
Click on any entity below to view its context and source!
target_region
Netherlands
Most recently, in January 2026, Dutch police
arrested
the 33-year-old mastermind behind a hacker testing site at Amsterdam’s airport.
attribution
Amsterdam’s
Most recently, in January 2026, Dutch police
arrested
the 33-year-old mastermind behind a hacker testing site at Amsterdam’s airport.
just the first two weeks of May 2026
Microsoft's systems were compromised, infecting over 140,000 computers worldwide.
Click on any entity below to view its context and source!
organisation
Microsoft
Microsoft linked both families to over 140,000 infected computers worldwide in just the first two weeks of May 2026.
general_metric
140,000 infected computers
Microsoft linked both families to over 140,000 infected computers worldwide in just the first two weeks of May 2026.
May 2026
Threat actors used Europol's tools to disrupt the StealC and Amadey malware infrastructure.
Click on any entity below to view its context and source!
organisation
EUROPOL
Operation Endgame is described by Europol as the largest international operation ever undertaken to tackle ransomware enablers worldwide.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking,
Operation Endgame
)
organisation
EuroJust
reads the
press release
published by EuroJust.
organisation
DIVD
Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre.
organisation
Spamhaus
Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre.
organisation
CheckjeHack
Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre.
organisation
the Dutch National Cyber Security Centre
Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre.
2026/06/16
Europol disrupted the stealC and amadey Malware's infrastructure in Operation Endgame.
Click on any entity below to view its context and source!
malware
SocGholish
According to an
Infoblox blog post
on SocGholish last week, the framework casts a wide net across enterprises and public sectors.
June 18
Threat actors used the StealC and Amadey malware to disrupt Europol's infrastructure.
Click on any entity below to view its context and source!
tactic
Ransomware
"The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage," the FBI Cyber Division said in
a post on X
on June 18.
tactic
Botnet
"The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage," the FBI Cyber Division said in
a post on X
on June 18.
tactic
Espionage
"The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage," the FBI Cyber Division said in
a post on X
on June 18.
attribution
FBI Cyber Division
"The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage," the FBI Cyber Division said in
a post on X
on June 18.
18 June 2026
Threat actors used Europol's operational support to disrupt the SocGholish malware framework.
Click on any entity below to view its context and source!
malware
SocGholish
What Happened
On 18 June 2026, the latest phase of
Operation Endgame targeted the SocGholish malware operation
, a prolific malware distribution network used to compromise systems and facilitate further cybercrime.
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
campaign
Operation Endgame
What Happened
On 18 June 2026, the latest phase of
Operation Endgame targeted the SocGholish malware operation
, a prolific malware distribution network used to compromise systems and facilitate further cybercrime.
target_region
Germany
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
target_region
Netherlands
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
target_region
United States
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
attribution
Europol
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
attribution
RCMP
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
attribution
the US Federal Bureau of Investigation (FBI
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
attribution
Federal Criminal Police Office
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
attribution
BKA
On 18 June 2026, international law enforcement agencies, including the Netherlands National High-Tech Crime Unit (NHCTU), the Royal Canadian Mounted Police (RCMP), the US Federal Bureau of Investigation (FBI), and Germany’s Federal Criminal Police Office (BKA), with operational support from Europol, announced the successful disruption of the group responsible for the
SocGholish
malware framework.
2026/06/18
SocGholish's stealC and Amadey malware infrastructure was disrupted by Europol.
Click on any entity below to view its context and source!
malware
SocGholish
"This marks the beginning of further action against SocGholish," Rollman added in a press release published today.
2026/06/24
SocGholish Disrupts Europol's StealC and Amadey Malware Infrastructure.
Click on any entity below to view its context and source!
organisation
EUROPOL
Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware.
“The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.” reads the
report
published by EUROPOL.
infrastructure
106 servers
Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware.
This joint action (supported by Europol and Eurojust) was part of
Operation Endgame
, a major law enforcement operation targeting cybercrime now aimed at disrupting a key infection chain linked to Evil Corp.
Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline.
In the latest installment of the ongoing
Operation Endgame
, authorities seized 106 servers and many domains tied to
SocGholish
, a notorious malware framework that has plagued the Internet for nearly a decade as an initial-access broker for ransomware and other threats.
As part of the effort, 106 servers linked to SocGholish have been taken down and 14,971 WordPress sites have been rid of the infections.
organisation
the Netherlands National High Tech Crime Unit
"With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit
said
.
organisation
Maikel Rollman
This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,"
said Maikel Rollman
, of the Netherlands' National High Tech Crime Unit.
infrastructure
100 servers
Coordinated by international law enforcement agencies with support from Europol and Eurojust, the operation remediated almost 15,000 compromised websites and disrupted more than 100 servers and domains used to distribute malware.
Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp.
International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group.
By taking down the core infrastructure feeding these networks, officials seized over 100 command-and-control (C2) servers and remediated 14,971 such compromised websites.
organisation
Evil Corp
SocGholish is linked to Evil Corp, the Russian cybercriminal group previously responsible for Zeus and Dridex, and associated with multiple large-scale ransomware and money-laundering operations.
These are the same initial access points that allowed ransomware groups like Evil Corp, LockBit, RansomHub, and WastedLocker to obtain deeper access to corporate networks in the past.
Active since 2017 and also known as FakeUpdates, SocGholish is a
JavaScript (JS)-based downloader malware
that typically serves as a conduit for next-stage malware from
various threat actors
like
Evil Corp
(aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).
organisation
Evil Corp.
The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp.
organisation
Phoenix CryptoLocker
The malware has been previously linked to
Evil Corp
, a Russian cybercrime gang active since 2007 that has been associated with the Zeus and Dridex malware families and was behind the
WastedLocker
,
Hades
,
Macaw Locker
, and
Phoenix CryptoLocker
ransomware operations.
organisation
creada
La actuación forma parte de
Operation Endgame
,
una iniciativa internacional creada para combatir las redes que facilitan ataques de ransomware y otras formas de ciberdelincuencia.
organisation
Después de la infección
Después de la infección, los atacantes pueden robar información, conseguir credenciales, desplazarse por una red empresarial o instalar ransomware.
organisation
los atacantes
Después de la infección, los atacantes pueden robar información, conseguir credenciales, desplazarse por una red empresarial o instalar ransomware.
organisation
un grupo de ciberdelincuentes
Las autoridades relacionan esta red con
Evil Corp
, un grupo de ciberdelincuentes conocido por utilizar otros programas maliciosos, como Zeus y Dridex, y por participar en campañas de ransomware y blanqueo de dinero.
organisation
campañas de ransomware
Las autoridades relacionan esta red con
Evil Corp
, un grupo de ciberdelincuentes conocido por utilizar otros programas maliciosos, como Zeus y Dridex, y por participar en campañas de ransomware y blanqueo de dinero.
organisation
LockBit
It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to
Infoblox
, which participated in the takedown.
These are the same initial access points that allowed ransomware groups like Evil Corp, LockBit, RansomHub, and WastedLocker to obtain deeper access to corporate networks in the past.
Active since 2017 and also known as FakeUpdates, SocGholish is a
JavaScript (JS)-based downloader malware
that typically serves as a conduit for next-stage malware from
various threat actors
like
Evil Corp
(aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).
organisation
DoppelPaymer
It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to
Infoblox
, which participated in the takedown.
SocGholish has also been used to deploy other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.
organisation
WastedLoocker
It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to
Infoblox
, which participated in the takedown.
organisation
DanaBot
Previously, Operation Endgame has also targeted
ransomware infrastructure
,
Smokeloader botnet customers
and servers, the
AVCheck site
, and various other
major
malware
operations
, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
organisation
Trickbot, Smokeloader,
Previously, Operation Endgame has also targeted
ransomware infrastructure
,
Smokeloader botnet customers
and servers, the
AVCheck site
, and various other
major
malware
operations
, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
organisation
WordPress
During the SocGholish portion of the operation, 14,971 infected websites were remediated, including restaurants, auto repair shops, and other everyday businesses whose WordPress installations had been quietly compromised and turned into malware distribution points.
The law-enforcement operation also remediated 14,971 websites, primarily hosted on WordPress, that had been compromised by SocGholish operators.
Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites.
Ad
Falsas actualizaciones para infectar ordenadores
Los atacantes comprometían páginas web legítimas, muchas de ellas creadas con WordPress.
organisation
TDS
Affiliate threat actors have also used
Keitaro
, a commercial TDS frequently abused by cybercriminals, to drive traffic to SocGholish (Keitaro and parent company Apliteni
recently cooperated with researchers
at Infolox to disrupt abuse of their platform).
"SocGholish uses a layered delivery model and has been observed enabling multiple categories of follow-on payloads," the cybersecurity company
said
, adding the threat actor also collaborates with traffic distribution system (TDS) operators like TA2726.
TDS is a technology used to route site visitors to different destinations based on different factors.
The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.
organisation
Keitaro
Affiliate threat actors have also used
Keitaro
, a commercial TDS frequently abused by cybercriminals, to drive traffic to SocGholish (Keitaro and parent company Apliteni
recently cooperated with researchers
at Infolox to disrupt abuse of their platform).
If everything matches, the script uses a traffic distribution system like ParrotTDS or a Keitaro service run by
TA2726
to route the user.
organisation
IAM
For example, Infoblox noted domain-joined systems are valuable to SocGholish because they are likely connected to enterprise identity and management (IAM) environments, which contain valuable login information for users.
organisation
DEV-0243
Active since 2017 and also known as FakeUpdates, SocGholish is a
JavaScript (JS)-based downloader malware
that typically serves as a conduit for next-stage malware from
various threat actors
like
Evil Corp
(aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).
threat_actor
Indrik Spider
Active since 2017 and also known as FakeUpdates, SocGholish is a
JavaScript (JS)-based downloader malware
that typically serves as a conduit for next-stage malware from
various threat actors
like
Evil Corp
(aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).
organisation
UNC2165
Active since 2017 and also known as FakeUpdates, SocGholish is a
JavaScript (JS)-based downloader malware
that typically serves as a conduit for next-stage malware from
various threat actors
like
Evil Corp
(aka DEV-0243, Indrik Spider, and UNC2165), LockBit, RansomHub, Dridex, and Raspberry Robin (aka Roshtyak).
organisation
Orange Cyberdefense
IP-geolocated SocGholish compromised WordPress sites per country
Orange Cyberdefense said it has observed SocGholish infections delivering loaders like
Gholoader
(another JavaScript-based loader) and
MintsLoader
, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.
organisation
GhostWeaver
IP-geolocated SocGholish compromised WordPress sites per country
Orange Cyberdefense said it has observed SocGholish infections delivering loaders like
Gholoader
(another JavaScript-based loader) and
MintsLoader
, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.
organisation
NetSupport
IP-geolocated SocGholish compromised WordPress sites per country
Orange Cyberdefense said it has observed SocGholish infections delivering loaders like
Gholoader
(another JavaScript-based loader) and
MintsLoader
, which, in turn, lead to the deployment of additional payloads like GhostWeaver, LockBit, AsyncRAT, and NetSupport RAT.
organisation
the Shadowserver Foundation
"
Many of the compromised WordPress instances have been modified to include criminal infrastructure operated by SocGholish, according to the Shadowserver Foundation.
organisation
el malware
Una operación internacional limpia casi 15.000 webs infectadas con el malware SocGholish.
organisation
la red de
utilizados para mantener activa la red de SocGholish.
organisation
Europol Disrupts
Europol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame.
financial
153,527 breached accounts
Operation Endgame 4.0 - 153,527 breached accounts.
organisation
Hackread.com
Hackread.com has covered Operation Endgame over the last couple of years.
infrastructure
1,000 servers
In November, as part of Operation Endgame, law enforcement agencies
also took down over 1,000 servers
used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations.
organisation
Los
Ad
Falsas actualizaciones para infectar ordenadores
Los atacantes comprometían páginas web legítimas, muchas de ellas creadas con WordPress.
organisation
EuroJust
En esta operación participaron organismos de Países Bajos, Canadá, Estados Unidos y Alemania, con el apoyo de Europol y Eurojust.
organisation
el apoyo de Europol
En esta operación participaron organismos de Países Bajos, Canadá, Estados Unidos y Alemania, con el apoyo de Europol y Eurojust.
infrastructure
326 servers
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
infrastructure
142 domains
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
data_breach
27 stolen login credentials
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
financial
€41 credentials
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
organisation
TDSs
An international law enforcement operation disrupted a key cog in the cybercrime ecosystem and put a spotlight on the risks to enterprises posed by
traffic distribution systems
(TDSs).
organisation
Novo Nordisk Breach Highlights
Related:
Novo Nordisk Breach Highlights Software Development Pipeline Risk
From there, TDSs are used to redirect unsuspecting visitors from their intended destinations to the fake browser updates.
organisation
CMS
Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.
The next step involves gaining privileged access to content management systems (CMS) like
WordPress
either by using stolen credentials or exploiting vulnerabilities in unpatched plugins.
organisation
Google Chrome
It's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software.
organisation
Mozilla Firefox
It's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software.
organisation
Gold Prelude
The operators of the malware have been tracked under various aliases, such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569 and UNC1543.
threat_actor
Mustard Tempest
The operators of the malware have been tracked under various aliases, such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569 and UNC1543.
organisation
Purple Vallhund
The operators of the malware have been tracked under various aliases, such as Gold Prelude, Mustard Tempest, Purple Vallhund, TA569 and UNC1543.
organisation
DNS
"This is a technique where a threat actor gains access to the authoritative DNS provider or registrar account panel for a legitimate domain, and uses their access to quietly create additional subdomains beneath the main ('apex') domain.
organisation
falsas actualizaciones de programas
Su funcionamiento se basa en engañar a los usuarios con falsas actualizaciones de programas o navegadores.
organisation
un
Cuando una persona entraba en una de estas webs, podía aparecer un aviso que indicaba que su navegador necesitaba una actualización urgente.
organisation
El mensaje parecía real
El mensaje parecía real, pero el archivo descargado contenía malware.
organisation
instalaciones sin actualizar
Los ciberdelincuentes accedían a las webs mediante contraseñas débiles, credenciales robadas o instalaciones sin actualizar.
organisation
el riesgo de nuevos
Las autoridades señalaron además que se habían filtrado credenciales relacionadas con alrededor de
1,4 millones de páginas web
, lo que aumenta el riesgo de nuevos accesos no autorizados.
organisation
las puertas traseras
Durante la operación, los
expertos
eliminaron el malware y las puertas traseras encontradas en las webs afectadas.
organisation
el ordenador de la víctima
Su función principal es entrar en el ordenador de la víctima y facilitar la instalación de otros programas maliciosos.
organisation
un pago
Este último tipo de malware cifra los archivos de una organización y exige un pago para recuperarlos.
organisation
La operación permitió retirar
Más de cien servidores y dominios desactivados
La operación permitió retirar 106 servidores y dominios
organisation
el malware siga
Al desactivar estos sistemas, las autoridades dificultan que el malware siga comunicándose con los atacantes y reciba nuevas instrucciones.
organisation
Sin
Sin embargo, este tipo de amenazas puede volver a aparecer con nuevos dominios y servidores.
organisation
Cómo
Cómo proteger una web de WordPress
Los propietarios de páginas web deben cambiar las contraseñas de acceso, activar la autenticación de dos factores y eliminar las cuentas de administrador que no reconozcan.
organisation
las cuentas de administrador que
Cómo proteger una web de WordPress
Los propietarios de páginas web deben cambiar las contraseñas de acceso, activar la autenticación de dos factores y eliminar las cuentas de administrador que no reconozcan.
organisation
También
También es importante mantener actualizados WordPress, los temas y los complementos instalados.
organisation
los complementos
También es importante mantener actualizados WordPress, los temas y los complementos instalados.
organisation
GhoLoader
Clicking this button runs a hidden iframe that downloads GhoLoader, a first-stage JScript downloader.
organisation
JScript
Clicking this button runs a hidden iframe that downloads GhoLoader, a first-stage JScript downloader.
organisation
PHP
This is achieved by installing fake plugins and PHP backdoors.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
326
Servers
Click for context!
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
Metrics
infrastructure
142
Domains
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
Metrics
data_breach
27,000,000
Stolen Login Credentials
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
Metrics
financial
41,000,000
Credentials
Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.
Metrics
infrastructure
106
Servers
In the latest installment of the ongoing
Operation Endgame
, authorities seized 106 servers and many domains tied to
SocGholish
, a notorious malware framework that has plagued the Internet for nearly a decade as an initial-access broker for ransomware and other threats.
As part of the effort, 106 servers linked to SocGholish have been taken down and 14,971 WordPress sites have been rid of the infections.
Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware.
This joint action (supported by Europol and Eurojust) was part of
Operation Endgame
, a major law enforcement operation targeting cybercrime now aimed at disrupting a key infection chain linked to Evil Corp.
Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline.
Metrics
financial
153,527
Breached Accounts
Operation Endgame 4.0 - 153,527 breached accounts.
Metrics
infrastructure
100
Servers
Coordinated by international law enforcement agencies with support from Europol and Eurojust, the operation remediated almost 15,000 compromised websites and disrupted more than 100 servers and domains used to distribute malware.
In May 2024, the operation resulted in seizing around 100 servers belonging to
dropper networks
, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee, and by May 2025, the
DanaBot network
was dismantled, leading to charges against 16 people.
By taking down the core infrastructure feeding these networks, officials seized over 100 command-and-control (C2) servers and remediated 14,971 such compromised websites.
Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp.
International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group.
Metrics
infrastructure
1,025
Servers
Later in November 2025, police shut down over 1,025 servers used by three other malware groups, terminating the core infrastructure of the
Rhadamanthys infostealer
, the
VenomRAT
remote control tool, and the Elysium botnet.
Metrics
infrastructure
1,000
Servers
In November, as part of Operation Endgame, law enforcement agencies
also took down over 1,000 servers
used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations.
Intelligence Sources
Bit Life Media
2026-06-19
CyberScoop
2026-06-18
Have I Been Pwned
2026-06-18
Operation Endgame 4.0 - 153,527 breached accounts
Have I Been Pwned
HackRead
2026-06-18
BleepingComputer
2026-06-18
The Hacker News
2026-06-19
Dark Reading
2026-06-23
SocGholish Takedown Highlights Malicious TDS Threats
Dark Reading
Security Affairs
2026-06-24
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:46
Comprehensive Tactical Telemetry
Highly Correlated Entities
67x
organisation
Identified Entity
Evil Corp
entity
32x
attribution
Attributing Entity
Europol
authority
18x
timeline
Temporal Reference
Between June 15 and 19, 2026
date
14x
target region
Target Country
Canada
country
12x
malware
Malware Payload
SocGholish
tool
7x
industry
Targeted Sector
Government
sector
6x
tactic
Cyber Operation Type
Ransomware
tactic
5x
source region
Origin Country
Russian Federation
country
5x
infrastructure
Servers
326
servers
4x
campaign
Campaign
Operation Endgame
Operation
operation
4x
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
2x
general metric
%
55
%
2x
threat actor
APT Group
Indrik Spider
actor
Contextual Telemetry
Context Block
15 METRICS
general metric
Infected Websites
14,971
infected websites
general metric
Infected Computers
140,000
infected computers
general metric
Eur
41,000,000
eur
infrastructure
Domains
142
domains
data breach
Stolen Login Credentials
27,000,000
stolen login credentials
financial
Credentials
41,000,000
credentials
general metric
Public Parties
30
public parties
general metric
Authorities
1,400,000
authorities
general metric
Infected Wordpress Websites
15,000
infected wordpress websites
general metric
Webs
15
webs
general metric
Millones
14
millones
general metric
Permitió Retirar
106
permitió retirar
general metric
Páginas
15
páginas
financial
Breached Accounts
153,527
breached accounts
general metric
People
16
people
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.