International law enforcement and private security partners executed “Operation Endgame,” a coordinated takedown that destroyed nearly 15,000 WordPress websites infected with SocGholish malware and dismantled 106 SocGholish command-and-control servers and domains. The operation targeted the SocGholish botnet linked to Evil Corp, the Russian cybercrime group responsible for one of the most persistent malware distribution campaigns of the past decade.
The takedown represents a rare successful multi-jurisdictional enforcement action against a long-standing malware distribution network. The SocGholish campaign has been active since at least 2019, distributing banking trojans, ransomware, and credential stealers through compromised WordPress sites that acted as malicious redirects.
The SocGholish WordPress Distribution Network
SocGholish used compromised WordPress sites as its primary malware distribution platform, turning the very infrastructure organizations use to host legitimate content into vectors for credential theft, bank malware delivery, and ransomware deployment. The 15,000-site cleanup number reflects the breadth of the infection — WordPress powers over 40 percent of all websites globally, making the platform an attractive canvas for botnet operators.
The operation’s scope extended beyond infrastructure destruction. Law enforcement partners identified and dismantled 106 C2 servers and associated domains, effectively neutralizing the command-and-control layer that coordinated the botnet’s distribution operations.
The Scale of WordPress Compromise Under SocGholish
By compromising WordPress sites that attracted organic visitors through search engine results and direct traffic, SocGholish operators ensured a steady stream of new infections without needing to generate their own visitor traffic. This approach made the malware distribution exceptionally difficult to detect through traditional cybersecurity monitoring because infected sites appeared completely legitimate to security tools, hosting real content with valid SSL certificates while carrying malicious redirect payloads.
Evil Corp Infrastructure and Residual Threat
The involvement of Evil Corp links the SocGholish operation to a broader Russian cybercrime ecosystem that has proven resilient to prior enforcement actions. The group’s operational model includes redundant infrastructure, geographic diversification of personnel, and the ability to fragment command structures across multiple criminal organizations.
Post-Takedown Rebuilding Risks
The connection between SocGholish and the broader Evil Corp cybercrime ecosystem means the threat remains active even after the takedown. Security researchers monitoring the post-takedown environment noted that SocGholish-associated infrastructure sometimes reappears in new forms, suggesting the 106 destroyed C2 servers represent significant but incomplete disruption of the operation capabilities.
