In a coordinated effort, authorities from the Netherlands (**NHCTU**), Canada (**RCMP**), the United States (**FBI**), and Germany (**BKA**), supported by **Europol** and **Eurojust**, have significantly disrupted a key infection chain linked to **Evil Corp**. ### Widespread Cleanup and Server Takedowns The operation saw the removal of **SocGholish** malware and backdoors from 14,971 compromised **WordPress** sites. Concurrently, 106 servers and domains instrumental to the botnet's infrastructure were taken offline. Dutch police, in addition to cleaning the infected sites, issued critical advice to website owners: change credentials, enable multi-factor authentication, delete unknown **WordPress** accounts, and keep their sites updated. **Maikel Rollman** of the Netherlands' National High Tech Crime Unit emphasized the impact: "With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware." He added, "It also reduces the risk that these systems are used for cyber-attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against **SocGholish**." ### Understanding SocGholish and Evil Corp **SocGholish**, also tracked as **FakeUpdates** and **GhoLoader**, is a JavaScript-based malware downloader active since at least 2017. It operates by hijacking legitimate websites, primarily **WordPress** sites, to trick visitors into downloading malicious payloads disguised as fake browser updates. Upon installation, the malware establishes a connection to the attackers, granting them access to the infected system. **SocGholish** has been a vector for deploying various other malware families, including **Dridex**, **Doppelpaymer**, **Empire**, **Koadic**, **Chtonic**, and **Azorult**. The malware has a long-standing association with **Evil Corp**, a Russian cybercrime syndicate active since 2007. This group is known for its involvement with **Zeus** and **Dridex** malware and has been behind significant ransomware operations such as **WastedLocker**, **Hades**, **Macaw Locker**, and **Phoenix CryptoLocker**. ### Ongoing Impact of Operation Endgame This latest action is part of the broader **Operation Endgame**, which has systematically targeted major cybercrime infrastructure. In November, the operation saw the takedown of over 1,000 servers used by the **Rhadamanthys**, **VenomRAT**, and **Elysium** botnet malware operations. Previous phases of **Operation Endgame** have also disrupted ransomware infrastructure, seized **Smokeloader** botnet customers and servers, taken down the **AVCheck** site, and targeted other prominent malware operations including **DanaBot**, **IcedID**, **Pikabot**, **Trickbot**, **Bumblebee**, and **SystemBC**. The ongoing success of **Operation Endgame** underscores the commitment of international law enforcement to dismantle cybercriminal networks and protect digital ecosystems globally.