On June 18, 2026, the Dutch National Police announced the takedown of 106 servers and domains linked to SocGholish. The international coalition — NHCTU, RCMP, FBI, BKA, with support from Europol and Eurojust — cleaned 14,971 compromised WordPress sites. The operation expands Operation Endgame's mandate to initial-access infrastructure.
- The coalition took down 106 servers and domains and cleaned 14,971 compromised WordPress sites.
- SocGholish, active since 2017, uses obfuscated JavaScript on legitimate sites to profile victims and deliver second-stage malware via fake browser updates.
- Infoblox reports that roughly 55% of customer networks in its dataset attempted to contact SocGholish infrastructure over five months.
- Maikel Rollman of the NHCTU stated this operation marks "the beginning of further actions" against SocGholish.
How the Infection Machine Worked
SocGholish operated as a large-scale watering hole. Attackers compromised WordPress sites — estimated at up to one million over the group's history according to community research cited by Infoblox — and injected obfuscated JavaScript.
This script performed victim profiling: it detected developer tools, identified the browser, and waited for interactions such as mouse movement. Only after this selection did it display a fake browser update alert.
The downloaded file was disguised JavaScript. Once executed, it connected to attacker-controlled infrastructure to receive secondary payloads: infostealers or RATs. The model was modular: compromised sites were numerous, distributed, and often managed by small operators.
Operation Endgame Expands
The SocGholish takedown represents a significant tactical shift. Law enforcement targeted the mechanism that delivers malware into corporate networks.
This shift reflects a strategic reading. Ransomware groups depend on initial-access brokers and delivery infrastructure like that of TA569. The decision to strike SocGholish signals that authorities treat the criminal ecosystem as an interdependent network.
"With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber-attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish." — Maikel Rollman, Netherlands' National High Tech Crime Unit
Analysis: The Resilience Dilemma
TA569's affiliation with Evil Corp — a group active since 2007, responsible for Zeus, Dridex, WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker — suggests established organizational capabilities. Infoblox's threat intelligence team posed the central question: "The key question is whether and how quickly the actors can adapt."
The three options are not equivalent. Rebuilding the current infrastructure is slow and exposed to new takedowns. Shifting to alternative hosting requires relationships with less cooperative providers. Adopting new models implies R&D and retraining affiliates.
The time required for each transition will determine the actual duration of the risk-reduction window. TA569 typically compromises sites directly but also accepts traffic from affiliates.
The Numbers and the Limits
The 14,971 sites cleaned — "nearly 15,000" according to Help Net Security — represent a fraction of the estimated one million sites historically controlled by TA569. The 106 servers taken down disrupted active C2, but not necessarily infections already established on endpoints.
Notification of site owners and cleanup assistance were part of the operation, according to both primary sources. The takedown did not produce arrests, as far as is known. The operation was purely infrastructural: a choice that maximizes immediate impact but leaves the group's human capacity intact.
The brief does not specify the exact nature of secondary payloads distributed in the most recent campaigns, nor how many active endpoint infections were actually neutralized. It is unknown how many sites remain compromised and unidentified.
What to Do Now
For WordPress site administrators: verify that your site does not appear among those notified as compromised by the coalition; update CMS, themes, and plugins to the latest versions; review accounts with administrative access for anomalies in creation or last login; check for unauthorized JavaScript in theme files or widgets.
For organizations: monitor network logs for past contacts with the 106 servers taken down; assess whether endpoints executed JavaScript from compromised WordPress sites during the period of activity; apply cleanup guidance provided by authorities if your site was notified.
Closing
The operation against SocGholish demonstrates that international coalitions can scale intervention beyond traditional botnet and ransomware targets. The figure of 14,971 sites cleaned and 106 servers taken down is measurable. Uncertainty remains on the speed of TA569 and Evil Corp's reaction.
Rollman's statement — "the beginning of further actions" — defines the scope: this is an operational turning point, not an epilogue. The group's ability to adapt will determine whether the risk-reduction window is measured in weeks or years.
Information has been verified against cited sources and is current as of publication.
Sources
- https://www.helpnetsecurity.com/2026/06/18/law-enforcement-socgholish-operation-endgame/
- https://www.bleepingcomputer.com/news/security/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites/
- https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
- https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
- https://support.google.com/googleplay/android-developer/answer/10281818?hl=en
- https://support.google.com/googleplay/answer/15574897?hl=en
- https://support.google.com/googleplay/answer/7018481
- https://www.eset.com/int/business/services/threat-intelligence/?utm_source=welivesecurity.com&utm_medium=referral&utm_campaign=wls-research&utm_content=fake-call-logs-real-payments-how-callphantom-tricks-android-users&sfdccampaignid=7011n0000017htTAAQ
- https://www.helpnetsecurity.com/2023/10/17/clearfake-malware-fake-browser-updates/