A major international police operation has disrupted a Russian-linked cybercrime network responsible for infecting thousands of websites and computers worldwide. The enforcement action, part of an ongoing global effort called Operation Endgame, involved police agencies from multiple countries working together, with support from Europol and Eurojust, targeting a malware framework known as SocGholish.
Authorities say SocGholish is linked to Evil Corp, a Russian cybercriminal group active since 2017 that tricks users into downloading malicious files disguised as legitimate computer updates. Investigators say the malware spread through thousands of compromised WordPress sites, exploited through known vulnerabilities or stolen credentials, allowing criminals to gain unauthorized access to victims’ computer systems and personal data. The technique typically presents visitors with a fake browser update prompt, a method security researchers call a ClickFix-style attack, since clicking “update” actually installs malware instead.
Investigators say the malware has affected all levels of society wherever it spread, from critical infrastructure to education and government systems. Authorities cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline during the coordinated action.
The operation deprives cybercriminals of access to infected computer systems, preventing further damage to digital systems worldwide and reducing the risk that compromised machines get used for attacks on critical infrastructure.
Evil Corp has previously been linked to the Zeus and Dridex banking trojans. It has also been linked to ransomware operations including WastedLocker, LockBit, and RansomHub. British law enforcement has separately connected the group to Russian intelligence, finding that the Kremlin has tasked it with cyberattacks and cyberespionage.
Authorities are urging WordPress site owners worldwide to change their login credentials, enable multi-factor authentication, delete any unrecognized WordPress accounts, and keep their sites fully updated to prevent reinfection.
