Welcome back to The Endgame.
Season 3 of Operation Endgame has begun.
Fragments, logs, whispers... Connections form. The story evolves. Some actors return. New ones emerge. Names you might recognize. Others you won't. Not yet.
We never left. Some of you kept moving. Some stood still. All were seen.
What's next? You'll see. Not all at once, and perhaps not where you'd expect.
Need to talk? You know where to find us. We'll be listening. And watching.
Think about (y)our next move.
In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.
SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.
Maikel Rollman, National High Tech Crime Unit: “With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”
In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.
Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:
The Dutch police have removed backdoors and malware from the infected WordPress sites. The owners of these sites have been informed. They are urged to:
Do you also have a WordPress website? Prevent yourself from becoming a victim in the future by applying these security steps.
SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. Whit this so-called initial access, even more dangerous software can then be installed.
Tips to prevent infection:
SocGholish has been a constant threat since 2017 and is used to install malware on users, including various ransomware strains that have been employed to attack critical infrastructures. This has resulted in many victims. This is primarily done by hacking websites built with WordPress and infecting them with malware.
SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.
