NETHERLANDS — Law enforcement agencies from the Netherlands, Canada, the United States, and Germany removed malware from 14,971 compromised WordPress websites. Authorities also disabled 106 servers and domains linked to the SocGholish botnet and the Evil Corp cybercrime group.

The operation, led by the Dutch National High Tech Crime Unit, received support from Europol and Eurojust. The initiative was conducted under the name Operation Endgame. Dutch police also removed backdoors from the affected websites, according to official records.

Dutch police advised website administrators to implement security measures. These recommendations included changing login credentials, enabling multi-factor authentication, removing unrecognized accounts, and updating their software. The SocGholish malware has been active since at least 2017 and is also identified as FakeUpdates and GhoLoader.

Maikel Rollman, an official with the unit, said: "With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber-attacks on critical infrastructure and other essential societal processes." SocGholish compromises websites to deliver malicious payloads disguised as browser updates to visitors, and the installation of this payload establishes a remote connection that grants attackers access to the compromised system.

SocGholish distributors have used the malware to install Dridex, Doppelpaymer, Empire, Koadic, Chtonic, and Azorult. A press release from the National High Tech Crime Unit indicated that this operation marks the beginning of further enforcement action against SocGholish.