Operation Endgame: 14,971 WordPress Sites Cleaned in Global SocGholish Takedown

On June 19, 2026, a client forwarded us an email from their hosting provider. Their server had been flagged. A credential — belonging to a routine customer account on their WordPress site, not an administrator — had turned up in a security report. The detection was from March 2025. Fifteen months ago.

The data had been sealed. Frozen inside a 3-year international criminal investigation. On June 18, 2026, it unsealed.

The investigation was called Operation Endgame Season 3. And it had just executed the single largest WordPress malware remediation in history.

We investigated the client’s server. Found no malware, no backdoors, no botnet activity. The credential had been harvested by a malware framework called SocGholish — but the client’s existing security practices had already neutralized the risk before the notification ever arrived. The story could have been different. For 14,971 other WordPress site owners, it was.

Here’s what happened, why it matters, and what every WordPress site owner should do right now.

Table of Contents

  1. What Happened on June 18, 2026
  2. Operation Endgame: The Largest Cybercrime Disruption in History
  3. What Is SocGholish? (And Why It Matters for WordPress)
  4. 1.4 Million Leaked Credentials: What This Means for WordPress Site Owners
  5. What WordPress Site Owners Must Do Now
  6. This Is Not Over
  7. Frequently Asked Questions
    1. Was my WordPress site hacked?
    2. What if my site was one of the 14,971 that were remediated?
    3. Is SocGholish still active after this takedown?
    4. How do I prevent this from happening to my site?
    5. How is this different from other WordPress malware?
    6. What should I do if I received a notification but nothing seems wrong?

What Happened on June 18, 2026

On Wednesday, June 18, law enforcement agencies from four countries — coordinated by Europol and Eurojust — unsealed data from a 3-year investigation and executed a coordinated action week against the SocGholish malware distribution network. The Shadowserver Foundation classified the associated Special Report as CRITICAL severity — its highest designation.

The scale of the operation:

Metric Number Detail
WordPress sites remediated 14,971 Backdoors and malware removed by Dutch police
Servers and domains taken down 106 Botnet command-and-control infrastructure dismantled worldwide
Computers disinfected 2,488 RCMP-developed disruption technique applied remotely
WordPress credentials leaked 1.4 million Harvested across 187 countries (May 2023–May 2025)
Email addresses exposed 154,000 Added to Have I Been Pwned for public verification
Previously unseen passwords 500,000+ Added to HIBP; check your email at haveibeenpwned.com

The agencies involved tell you how serious this was. The Dutch National High Tech Crime Unit (NHTCU) led the operation. Canada’s RCMP developed the technical disruption method. The FBI and Germany’s BKA were operational partners. Europol and Eurojust provided cross-border coordination. Behind them, over twenty private-sector partners — Microsoft, ESET, Proofpoint, CrowdStrike, Infoblox, Shadowserver, Spamhaus, and others — contributed threat intelligence and victim notification infrastructure.

Maikel Rollman of the NHTCU put it plainly:

“With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. This marks the beginning of further action against SocGholish.”

The data that triggered these actions came from the Shadowserver Foundation, which distributed a one-off Special Report on June 18 containing 1,441,695 instances of compromised WordPress sites — spanning 1,134,542 domains and 271,176 unique IP addresses across 7,550 networks in 187 countries. The dataset covered activity between May 2023 and May 2025. For two full years, SocGholish operated on compromised WordPress sites. Site owners had no idea. Their visitors had no idea. That’s how this malware works.

Operation Endgame: The Largest Cybercrime Disruption in History

This wasn’t a one-off takedown. Operation Endgame, launched in May 2024, is the largest international operation ever undertaken to combat botnets and ransomware enablers. It brings together law enforcement and judicial authorities from the Netherlands, Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom, and Canada — with Europol and Eurojust coordinating across borders.

Each season has escalated:

  • Season 1 (May 2024): The dropper malware ecosystem was disrupted at scale — the largest-ever operation against botnets at the time.
  • Season 2 (May–November 2025): The ransomware kill chain was broken at its source. Over 1,025 servers were taken down. Five arrests followed.
  • Season 3 (June 2026): SocGholish — a WordPress-focused infection chain used as the initial access vector for ransomware deployment — was dismantled.

The pattern is unmistakable. Each season, the target has been infrastructure that exploits WordPress sites as the attack surface. WordPress powers over 43% of all websites on the internet. Criminals go where the surface area is largest. Operation Endgame has made WordPress a focal point because WordPress is where the victims are.

The operation’s website — operation-endgame.com — lists sixteen individuals from the Russian cybercriminal group Evil Corp on the EU Most Wanted list. These are not anonymous hackers. They are named, photographed, and subject to active international arrest warrants.

What Is SocGholish? (And Why It Matters for WordPress)

SocGholish — also tracked as FakeUpdates, DEV-0206, GOLD PRELUDE, Mustard Tempest, TA569, and UNC1543 — is a JavaScript malware framework that has been active since at least 2017. Its purpose is not to deface websites or steal data directly. Its purpose is to turn legitimate WordPress sites into malware distribution platforms.

Here’s how it works: attackers compromise a WordPress site — typically through leaked or reused credentials, vulnerable plugins, or brute-force password attacks. Once inside, they inject obfuscated JavaScript into the site’s pages. When a visitor arrives, the script triggers a fake browser update prompt — designed to look exactly like a legitimate Chrome, Firefox, or Edge update notification. If the visitor downloads and runs the “update,” they’re actually installing malware that gives attackers remote access to their computer. That access is then sold or used to deploy ransomware, steal credentials, or move laterally through corporate networks.

The sites hosting these fake updates? They look completely normal. No defacement. No downtime. No warning in Google Search Console. The site owner sees a functioning WordPress site. Every visitor sees a malware trap.

SocGholish is linked to Evil Corp — a Russian cybercriminal group behind the Zeus and Dridex banking trojans, multiple ransomware strains, and large-scale money-laundering operations. Evil Corp has been sanctioned by the UK, US, and Australian governments. The group’s alleged leadership now appears on the EU Most Wanted list.

For a complete technical guide covering SocGholish detection methods, injection patterns, cleanup procedures, and prevention — including code-level detail on the NDSW/NDSX and khutmhpx variants — read our full SocGholish malware deep-dive (publishing soon — link will be updated).

1.4 Million Leaked Credentials: What This Means for WordPress Site Owners

Let’s put the credential number in perspective. 1.4 million WordPress logins — usernames and passwords — confirmed to be in criminal possession. Not guessed. Not inferred. Confirmed by law enforcement forensic analysis of seized SocGholish infrastructure.

The Shadowserver report that triggered the notifications contained detailed per-site data: the compromised domain, the login name, a redacted password hash, and the timeframe the credential was active. For the 14,971 sites that were actively infected, Dutch police removed the backdoors directly. For the broader set of 1.4 million credentials, the risk is different: these sites may not be actively infected today, but their credentials are known. They’re in a database. That database may have been sold, shared, or archived by other criminal groups. Credentials don’t expire.

If your WordPress site has been running since 2023 and you haven’t rotated credentials, there is a non-trivial probability that your login is in this dataset — and you would have no way to know unless you check Have I Been Pwned or received a direct notification through your hosting provider.

We investigated a client’s server after they received exactly this kind of notification. The compromised credential belonged to a customer-level account with no administrative privileges. The client had already performed a security audit before the notification arrived — passwords rotated, sessions killed, application passwords disabled, authentication salts regenerated. The server was clean: no malware, no backdoors, no botnet processes, no suspicious outbound connections. The credential was in the dataset. The risk had already been neutralized.

Send this to your developer or the person who manages your WordPress site. The credential audit steps below are copy-paste ready — they will know exactly what to check. If you manage client sites, forward this to your clients. The 5-step checklist and what-NOT-to-do list will save them from the most common post-notification mistakes.

Not every site owner was that prepared.

What WordPress Site Owners Must Do Now

Law enforcement has done their part. The backdoors on 14,971 sites have been removed. The botnet infrastructure is offline. The notification pipeline — Have I Been Pwned, DIVD, Spamhaus, Shadowserver, national CSIRTs — has reached affected site owners. What happens next depends on you.

Here is what the Dutch police, RCMP, and Shadowserver are urging every WordPress site owner to do immediately:

  1. Change all login credentials. WordPress admin, database, FTP/SFTP, hosting control panel, DNS provider — every access point. Use strong, unique passwords generated by a password manager. Do not reuse passwords across services.
  2. Enable multi-factor authentication. On every account that supports it. A leaked password alone should not be enough to access your site.
  3. Audit your WordPress user accounts. Delete any users you don’t recognize. Check that existing users have appropriate roles — not every account needs administrator access. Pay special attention to accounts created in the last 24 months that you don’t remember adding.
  4. Update everything. WordPress core, all themes, all plugins — apply every available update. Delete plugins and themes you’re not actively using. Deactivation is not enough; delete them.
  5. Check for unauthorized subdomains. SocGholish uses a technique called Domain Shadowing — creating malicious subdomains under your legitimate domain. Log into your DNS provider or hosting control panel and review every subdomain. If you see entries like update.yourdomain.com or cdn.yourdomain.com that you didn’t create, remove them.

What not to do:

  • Do not ignore the notification. A hosting provider or Shadowserver notification is not a false positive. It means a credential was confirmed in criminal possession. Even if your site looks fine, the credential is compromised.
  • Do not assume a clean-looking site is a clean site. SocGholish produces no visible symptoms — no defacement, no downtime, no Google warning. The absence of evidence is not evidence of absence.
  • Do not change just one password. If attackers had access to your WordPress admin, assume they also harvested your database credentials, FTP credentials, and hosting panel access. Rotate everything.

Beyond the immediate steps, we recommend three additional measures that close the gap between “notified” and “protected”:

  • Run a malware scan. Most SocGholish infections produce no visible symptoms. Your site loads fine. Google doesn’t flag it. But malicious JavaScript is silently serving fake update prompts to your visitors. Our free WebScan tool detects SocGholish indicators — injected scripts, unauthorized admin users, suspicious plugin files, and domain shadowing evidence — in seconds. No installation required.
  • Deploy ongoing monitoring. The Malcure Advanced Edition plugin provides scheduled forensic scanning of files and databases with checksum verification against official WordPress APIs. If your site is modified — by you, by a plugin update, or by an attacker — you’ll know.
  • If you’re infected, get expert help. SocGholish infections can spread across thousands of files. The NDSW/NDSX variant alone was detected on over 110,000 sites in a single year. Manual cleanup is error-prone and time-consuming. If you don’t have a verified clean backup, our WordPress Malware Removal Service provides same-day expert cleanup with a full investigation report.

Not sure where to start? Run a free WebScan. It takes under 60 seconds and will tell you whether you need to take further action. If you want a deeper diagnostic before scanning, see our guide to the 9 signs your WordPress site is hacked — several of them overlap with SocGholish indicators.

This Is Not Over

Operation Endgame Season 3 disrupted SocGholish’s infrastructure. The botnet is offline. The 14,971 actively infected sites are clean. But the criminal group behind SocGholish — Evil Corp — is still operating. Sixteen named individuals remain on the EU Most Wanted list. The group has weathered takedowns before and adapted each time.

Maikel Rollman’s words are worth repeating: “This marks the beginning of further action against SocGholish.” More infrastructure takedowns, more arrests, more seasons of Operation Endgame are likely. The model works: public-private partnership, coordinated international action, victim notification at scale. But the model also depends on site owners doing their part.

WordPress powers 43% of the web. That’s not going to change. The attack surface isn’t going to shrink. What can change is how quickly site owners detect compromise, how systematically they rotate credentials, and how seriously they treat the mundane work of updates, user audits, and access control.

The criminals aren’t stopping. Neither should you.

Frequently Asked Questions

Was my WordPress site hacked?

The only way to know for certain is to scan. Run a free WebScan (works for any public website, not just WordPress). Check your email at haveibeenpwned.com. Audit your WordPress user accounts for unknown users. Review your DNS records for unauthorized subdomains. If you received a notification from your hosting provider or Shadowserver — act on it. Those notifications are not false positives.

What if my site was one of the 14,971 that were remediated?

Law enforcement removed the backdoors and malicious code from your site. That does not mean your site is secure. The attackers had your credentials. Change every password immediately — WordPress, database, FTP, hosting, DNS. Enable multi-factor authentication. Delete unknown user accounts. Update all software. Then scan to verify no residual malware remains.

Is SocGholish still active after this takedown?

The specific infrastructure — 106 servers and domains — has been dismantled. The botnet is disabled. But Evil Corp, the group behind SocGholish, remains operational. Assume the malware framework will adapt and re-emerge on new infrastructure. The credential database — 1.4 million logins — may already be in the hands of other criminal groups. The takedown removed the immediate threat. It did not remove the long-term risk.

How do I prevent this from happening to my site?

Use strong, unique passwords for every account. Enable multi-factor authentication everywhere. Keep WordPress core, themes, and plugins updated. Delete unused software — don’t just deactivate it. Run regular malware scans. Monitor your DNS records. Check Have I Been Pwned periodically. If you’re not sure whether your site is clean, start with a free scan.

How is this different from other WordPress malware?

Most WordPress malware leaves a visible trace — a defacement, a redirect, a Google warning, a hosting suspension. SocGholish leaves no trace visible to the site owner. Your site looks normal. Your visitors see a fake browser update and get infected. You may never know it happened unless a third party — like Shadowserver or law enforcement — tells you. That’s what makes this malware dangerous, and that’s why the Operation Endgame notification pipeline matters.

What should I do if I received a notification but nothing seems wrong?

Take it seriously. The absence of visible symptoms is exactly how SocGholish operates. A clean-looking site does not mean a clean site. Run a scan. Change your credentials. Audit your users. Review your DNS. The notification means a credential was confirmed in criminal possession — even if it hasn’t been used yet, it can be used at any time.

For a complete technical reference on SocGholish malware — including detection methods, injection patterns, and cleanup procedures — see our SocGholish deep-dive guide.

Written by
Principal Security Researcher, Malcure Web Security

Shiv has worked in security and infrastructure since 2002, with hands-on experience across enterprise network security, incident response, problem coordination, triage management, Windows and Linux systems provisioning, scripting automation, Nginx, ModSecurity, reverse proxies, web application firewalls, WordPress malware removal, malicious redirect cleanup, SEO spam remediation, WP-CLI workflows, vulnerability response, and website hardening. His research informs Malcure’s malware detection, cleanup, and hardening methodology.

Need help with restoring your hacked site?

Our dedicated incident response team, state-of-the-art technology, and excellent customer service makes sure that your website is 100% clean and secure.

Request Malware Cleanup →