Law enforcement agencies have dismantled a major portion of the infrastructure behind SocGholish malware, a long-running threat that has infected thousands of websites worldwide. Authorities removed malicious code from nearly 15,000 compromised WordPress sites and seized servers used to distribute malware to unsuspecting visitors.

The operation involved agencies from multiple countries and formed part of the wider Operation Endgame initiative, which targets large cybercrime networks. Investigators say the effort disrupted one of the internet’s most persistent malware delivery systems.

Authorities Clean Thousands of Infected Websites

According to officials, investigators cleaned malware and backdoors from 14,971 compromised WordPress websites. They also disrupted 106 servers and domains used to support the operation.

The takedown focused on infrastructure linked to SocGholish, a malware campaign that has been active for years. Security researchers and law enforcement agencies have long connected the operation to cybercriminal activity associated with Evil Corp.

Authorities described the action as an important step in reducing the threat posed by the malware. However, investigators indicated that additional enforcement actions may follow as they continue to target remaining infrastructure.

Fake Updates Powered the Infections

SocGholish malware spreads through compromised websites that display fake browser update messages. Visitors are tricked into downloading what appears to be a legitimate software update. In reality, the download installs malicious code on the victim’s device.

Researchers have tracked the campaign since at least 2018. Over the years, the malware has evolved into a highly effective initial access platform used to deliver additional threats. Victims often receive ransomware, information stealers, remote access tools, or other malware after the initial infection.

The campaign relies heavily on trust. Attackers compromise legitimate websites and use them to present fake update prompts, making the attacks appear convincing to visitors.

Website Owners Urged to Strengthen Security

Investigators recommend that affected website owners review their systems for unauthorized changes and update all WordPress software. Security experts also advise changing administrative passwords, enabling multi-factor authentication, and removing unknown accounts.

Although the operation significantly reduced the size of the network, security researchers warn that similar malware campaigns continue to target vulnerable websites. Organizations that maintain public-facing web infrastructure should continue monitoring for signs of compromise and keep systems fully patched.

Conclusion

The SocGholish malware takedown marks one of the largest website cleanup efforts in recent years. By removing malicious code from nearly 15,000 websites and disrupting key infrastructure, authorities have weakened a malware operation that helped cybercriminals gain access to thousands of systems. The action demonstrates how international cooperation can disrupt large-scale cybercrime operations, though defenders must remain vigilant as threat actors continue to adapt.


0 responses to “SocGholish Malware Removed From Nearly 15,000 Websites”