Global Law Enforcement Disrupts Evil Corp’s SocGholish Malware Network
An international law enforcement operation has dismantled a major malware network tied to Russia-based cybercrime group Evil Corp, seizing over 100 servers and disinfecting nearly 15,000 compromised websites used to distribute malicious software. Authorities from the Netherlands, Canada, the U.S., and Germany announced the takedown on Thursday, targeting the SocGholish botnet also known as FakeUpdates which has been active since 2017.
The operation disrupted the botnet by seizing domain names and shutting down servers that infected visitors to legitimate websites, including small businesses like restaurants and auto repair shops. Dutch police also removed malware and backdoors from thousands of hacked WordPress sites and notified affected owners.
SocGholish spreads through fake browser or software update prompts, tricking users into installing malware that establishes a foothold for further attacks. According to the FBI, the botnet has been used to deploy ransomware and espionage tools, serving as a gateway for multiple ransomware groups, including DoppelPaymer, WastedLocker, Hades, LockBit, and RansomHub.
Evil Corp, sanctioned by the U.S. in 2019 for its role in the Dridex banking malware linked to over $100 million in global financial losses has long been associated with SocGholish. Cybersecurity firm Infoblox, which assisted in the operation, confirmed the malware’s role in enabling ransomware campaigns.
Maikel Rollman of the Dutch National High Tech Crime Unit stated the takedown deprived cybercriminals of access to infected systems, mitigating further harm to individuals and organizations. He described the action as "the beginning of further efforts" against SocGholish.
Source: https://therecord.media/socgholish-botnet-disrupted
RansomHub TPRM report: https://www.rankiteo.com/company/mandiant
"id": "man1781879096",
"linkid": "mandiant",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Hospitality',
'Automotive',
'Other small businesses'],
'location': 'Global (primarily U.S., Canada, '
'Netherlands, Germany)',
'name': 'Small businesses (e.g., restaurants, auto '
'repair shops)',
'size': 'Small',
'type': 'Businesses'},
{'industry': 'Various',
'location': 'Global',
'name': 'WordPress site owners',
'type': 'Website owners'},
{'location': 'Global',
'name': 'End-users (visitors to compromised websites)',
'type': 'Individuals'}],
'attack_vector': 'Fake browser or software update prompts (drive-by download)',
'customer_advisories': 'Users are advised to avoid fake update prompts and '
'ensure their systems are protected with up-to-date '
'security software.',
'date_publicly_disclosed': '2024-05-16',
'description': 'An international law enforcement operation has dismantled a '
'major malware network tied to Russia-based cybercrime group '
'Evil Corp, seizing over 100 servers and disinfecting nearly '
'15,000 compromised websites used to distribute malicious '
'software. The operation disrupted the SocGholish botnet (also '
'known as FakeUpdates), which has been active since 2017, by '
'seizing domain names and shutting down servers that infected '
'visitors to legitimate websites, including small businesses '
'like restaurants and auto repair shops.',
'impact': {'financial_loss': '$100 million (historical Dridex-related losses)',
'operational_impact': 'Disruption of malware distribution '
'infrastructure, prevention of further '
'infections',
'systems_affected': '15,000 compromised websites, infected '
'end-user systems'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Compromised WordPress sites, fake '
'update prompts'},
'investigation_status': "Ongoing (described as 'the beginning of further "
"efforts')",
'lessons_learned': 'The takedown highlights the importance of international '
'law enforcement collaboration in disrupting cybercriminal '
'infrastructure and the role of third-party cybersecurity '
'firms in supporting such operations.',
'motivation': ['Financial gain', 'Ransomware deployment', 'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Seizure of malicious '
'infrastructure',
'Disinfection of '
'compromised websites',
'Public awareness campaigns '
'about fake updates'],
'root_causes': ['Unpatched or vulnerable WordPress '
'sites',
'Social engineering (fake update '
'prompts)',
'Lack of user awareness about '
'malicious update prompts']},
'ransomware': {'ransomware_strain': ['DoppelPaymer',
'WastedLocker',
'Hades',
'LockBit',
'RansomHub']},
'recommendations': ['Website owners should regularly update and secure their '
'WordPress installations to prevent compromise.',
'Users should avoid installing software updates from '
'untrusted sources or pop-up prompts.',
'Organizations should monitor for signs of SocGholish '
'infections and implement endpoint detection and response '
'(EDR) solutions.',
'Law enforcement and cybersecurity firms should continue '
'collaborative efforts to dismantle botnets and malware '
'distribution networks.'],
'references': [{'source': 'Dutch National High Tech Crime Unit'},
{'source': 'FBI'},
{'source': 'Infoblox'}],
'regulatory_compliance': {'legal_actions': 'U.S. sanctions imposed on Evil '
'Corp in 2019'},
'response': {'communication_strategy': 'Public announcement by law '
'enforcement agencies',
'containment_measures': ['Seizure of 100+ servers',
'Shutdown of malicious domains',
'Removal of malware/backdoors from '
'compromised sites'],
'law_enforcement_notified': True,
'remediation_measures': ['Disinfection of 15,000 websites',
'Notification to affected site owners'],
'third_party_assistance': 'Infoblox (cybersecurity firm)'},
'stakeholder_advisories': 'Law enforcement agencies have advised affected '
'website owners to check for and remove '
'malware/backdoors from their systems.',
'threat_actor': 'Evil Corp',
'title': 'Global Law Enforcement Disrupts Evil Corp’s SocGholish Malware '
'Network',
'type': 'Malware Distribution / Botnet Takedown',
'vulnerability_exploited': 'Compromised WordPress sites, social engineering '
'(fake updates)'}