SocGholish Operation Endgame: 15,000 WordPress Sites Cleaned

by Emma Davis
1 minute ago

International law enforcement disrupted SocGholish/FakeUpdates infrastructure and says nearly 15,000 compromised WordPress sites were remediated.

Operation Endgame has hit SocGholish, the long-running FakeUpdates malware operation that abuses legitimate websites to push fake browser updates. Dutch Police said the joint action week disrupted 106 servers and domains and remediated 14,971 websites that had been infected with SocGholish malware.[1]

The story matters for ordinary WordPress operators, not just threat-intelligence teams. SocGholish has relied on compromised legitimate sites as delivery points: a visitor lands on a trusted page, sees a fake update prompt, runs the offered file, and may end up with a loader, infostealer, remote-access tool, or ransomware follow-on. The Dutch Police specifically urged WordPress owners to change credentials, enable multi-factor authentication, remove unknown admin accounts, and keep the site updated.[1]

The RCMP added a useful operational detail on June 18: investigators in Vancouver developed and refined a disruption technique that helped mass-disinfect 2,488 computers worldwide, while 14,971 websites were actioned in the broader operation. The Canadian release also says the technique should prevent future SocGholish reinfection on the affected sites.[2]

There is also a credential angle. Have I Been Pwned added an Operation Endgame 4.0 breach entry after authorities provided 154,000 impacted email addresses and more than half a million previously unseen passwords tied to the SocGholish disruption.[3] Anyone who manages WordPress, hosting, email, or admin-panel accounts should treat that as another reason to rotate passwords rather than assuming the takedown alone closes the risk.

Proofpoint tracks the group behind SocGholish as TA569 and says the actor has used web injects, traffic distribution systems, and GhoLoader to turn compromised sites into malware-delivery infrastructure. In recent chains, the injected JavaScript profiles the browser, avoids obvious analysis environments, waits for mouse movement, and then replaces the page with a fake browser-update lure.[4] That makes the infection harder for site owners to notice during a casual homepage check.

What WordPress owners should check now

If you run a WordPress site, start with the obvious but often-missed checks: review administrator accounts, rotate passwords for WordPress and hosting panels, enable MFA, update core/plugins/themes, and remove unused plugins or themes. Then search the site for suspicious injected JavaScript, unfamiliar must-use plugins, strange recently modified PHP files, and unexpected admin-ajax behavior. A clean homepage is not enough because SocGholish-style scripts can filter visitors before showing the fake update page.

For endpoint teams, treat recent fake browser-update downloads as a serious lead. HowToFix has covered this user-facing side of the problem before in the FakeUpdates removal guide, and similar web-injection patterns have shown up in ClickFix campaigns against compromised CMS sites. The WordPress supply-chain angle also overlaps with the recent OptinMonster/PushEngage backdoor incident, where trusted website code became the delivery path.

Infoblox said the operation dealt a major blow to TA569 by disrupting infrastructure and victim traffic sources, but it also warned that the ecosystem may adapt. Its visibility showed nearly 55% of its cloud customers were exposed to SocGholish in 2026, even though only a smaller number appeared to reach the final attack stage.[5] Help Net Security likewise noted that the practical question is whether the actors rebuild, shift infrastructure, or move to a new delivery model.[6]

The short version: if your organization owns WordPress sites, do not wait for a notification. Confirm the site is patched, review accounts and file integrity, check server logs for unfamiliar script delivery, and rotate reused credentials. If a user recently ran a browser-update file from a website, handle the endpoint as potentially compromised even if the original delivery domain has now been disrupted.

References

  1. Dutch Police, “International law enforcement initiate hunt on malware group SocGholish”, June 18, 2026.
  2. Royal Canadian Mounted Police, “Operation Endgame—RCMP join international partners in crackdown of Russian cybercriminal network”, June 18, 2026.
  3. Have I Been Pwned, “Operation Endgame 4.0 Data Breach”, added June 18, 2026.
  4. Proofpoint Threat Research, “Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation”, June 17, 2026.
  5. Infoblox Threat Intel, “Hot Take: Operation Endgame VS SocGholish”, June 18, 2026.
  6. Help Net Security, “Law enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned”, June 18, 2026; updated June 19, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment