International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group.

This joint action (supported by Europol and Eurojust) was part of Operation Endgame, a major law enforcement operation targeting cybercrime now aimed at disrupting a key infection chain linked to Evil Corp.

Authorities from the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA) cleaned SocGholish malware infections from 14,971 compromised WordPress websites and took 106 servers and domains offline.

While the Dutch police removed the malware and backdoors from the infected sites, it also advised the website owners to change their credentials, enable multi‑factor authentication, delete any unknown WordPress accounts, and keep their WordPress site up‑to‑date.

"With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware," said Maikel Rollman, of the Netherlands' National High Tech Crime Unit.

"It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish."

The SocGholish JavaScript-based malware downloader (also tracked as FakeUpdates and GhoLoader) has been used in attacks since at least 2017, and it works by hijacking legitimate websites (primarily WordPress sites) and tricking visitors into downloading malicious payloads, commonly disguised as fake browser updates.

When a user installs the malicious update, the malware opens a connection to the attackers, giving them access to the infected system. SocGholish has also been used to deploy other malware families, including Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult.

The malware has been previously linked to Evil Corp, a Russian cybercrime gang active since 2007 that has been associated with the Zeus and Dridex malware families and was behind the WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker ransomware operations.

"This marks the beginning of further action against SocGholish," Rollman added in a press release published today.

In November, as part of Operation Endgame, law enforcement agencies also took down over 1,000 servers used by the Rhadamanthys, VenomRAT, and Elysium botnet malware operations.

Previously, Operation Endgame has also targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and various other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.