We’re always happy to end the week with some positive news. A law enforcement action called Operation Endgame just delivered a major win against the long‑running SocGholish (aka FakeUpdates) operation.
SocGholish is a malware framework that has been active since at least 2017 and is best known for abusing hacked, legitimate WordPress sites to push fake browser and software updates to visitors. When a user clicks one of these convincing “update now” prompts, the malware opens a backdoor on the system, giving attackers initial access that is often used to deploy ransomware and other malicious software. The operation has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex malware, as well as major ransomware and money‑laundering schemes.
This week, Dutch police and the Public Prosecution Service, working with the Royal Canadian Mounted Police, FBI, German Federal Criminal Police Office, Europol, and Eurojust, struck directly at SocGholish’s infrastructure. As part of Operation Endgame, they took down 106 servers and domains and cleaned 14,971 infected WordPress sites that had been silently redirecting visitors into the FakeUpdates trap.
Investigators say they found exposed login credentials for around 1.4 million WordPress sites. To check whether any passwords associated with your email address have been exposed in a breach, use Malwarebytes Digital Footprint Scanner.
Dutch authorities also used their hacking powers to remove backdoors and malware from compromised sites and notified affected site owners, urging them to update WordPress, enable multi-factor authentication (MFA), and change passwords.
Authorities say the infected sites included everyday businesses such as restaurants and car garages, meaning visitors could have been exposed to malware simply by browsing trusted local websites.
The scale and intent matter here. Endgame is billed as the largest international operation against ransomware and cybercrime to date, and this SocGholish takedown specifically disrupts a key infection chain used by multiple ransomware groups. By breaking the link between thousands of everyday websites and a sophisticated malware‑as‑a‑service ecosystem, law enforcement has reduced the pool of future victims and increased the cost of operating for Evil Corp and its partners.
So, as you head into the weekend, here’s a malware story where the good guys actually pushed back and made it hurt.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.