14,971 WordPress Sites Cleaned in Global SocGholish Takedown Cybercrime

Data from Infoblox shows that approximately 55% of its cloud customers attempted to reach SocGholish infrastructure this year alone, with the attacks targeting almost “every industry sector” over the past five months. This marks the beginning of further action against SocGholish.” The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures.

The Criminal Operation

“This distribution […] reinforces that SocGholish is not a niche threat limited to one vertical,” the company said.

Further details indicate that law enforcement agencies in four countries, working with Europol and private partners, have disrupted SocGholish infrastructure and cleaned up nearly 15,000 infected WordPress websites.

These disruptions force adversaries to rebuild, retool, and reassess, creating valuable opportunities for defenders to get ahead of emerging threats.” Key Takeaways Operation Endgame disrupted infrastructure tied to TA569, taking down more than 100 servers and domains and remediating nearly 15,000 compromised websites.

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites.

“With these actions we deprive cybercriminals of access to infected computer systems,”, Spokesperson

Victims & Losses

“This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. Some of the most targeted verticals included government, education, banking, healthcare, non-IT services, financial services, IT consulting, utilities, insurance, and transportation. Active since 2017 and also known as FakeUpdates, SocGholish is a malware framework injected into websites running popular content management systems, such as WordPress, Joomla, and Drupal, either via known vulnerabilities or stolen credentials.

“This is a technique where a threat actor gains access to the authoritative DNS provider or registrar account panel for a legitimate domain, and uses their access to quietly create additional subdomains beneath the main (‘apex’) domain.” “These malicious subdomains are often given common host names that hide in plain sight and blend in with the domain owner’s legitimate DNS infrastructure, but will point to criminal-operated external malicious infrastructure, effectively piggybacking on a domain’s established reputation and making it harder for defenders to easily detect or block illicit activity.” What’s more, the infected websites are frequently exploited by multiple threat actors, exposing unsuspecting site visitors to a sophisticated cluster of potential threats.

“The actor has also compromised websites in virtually every industry, from nonprofits and schools, to healthcare and hospitals, to legal and real estate organizations.” DNS threat intelligence firm Infoblox described SocGholish as a multi-stage JavaScript framework that converts compromised websites into drive-by download malware delivery vehicles.

According to Infoblox, approximately 55% of cloud customers were exposed to SocGholish this year, which demonstrates the high risk the botnet poses to enterprises worldwide.

Protection Steps

1. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.

2. It’s distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software.

3. The framework is enabled by four main steps: traffic acquisition, traffic filtering, payload lures, and on-device implant execution.

4. Active since 2017 and also known as FakeUpdates, SocGholish is a malware framework injected into websites running popular content management systems, such as WordPress, Joomla, and Drupal, either via known vulnerabilities or stolen credentials.

5. The malware profiles a victim’s browser, performs specific checks, and then overwrites the entire webpage with a fake browser update to entice the user into downloading a malicious payload, Proofpoint explains.

6. The Dutch police say notifications were also sent to WordPress site owners whose compromised credentials were identified, urging them to change their logins, enable MFA, delete suspect accounts, and keep their sites updated.

Analysis

Organizations should review their exposure and apply available mitigations promptly.