SocGholish is a JavaScript malware downloader that compromises legitimate WordPress websites to deliver malicious payloads disguised as fake browser updates. Once installed by a victim, it establishes a connection to attackers, enabling remote access and further malware deployment. The malware has been linked to the Russian cybercrime group Evil Corp, known for multiple ransomware and banking malware campaigns. In a coordinated international law enforcement effort involving agencies from the Netherlands, Canada, the US, and Germany, nearly 15,000 infected WordPress sites were cleaned and 106 servers and domains taken offline. The Dutch police removed malware and backdoors from infected sites and recommended security best practices to site owners. This action disrupts a major infection vector used by Evil Corp and limits further damage and spread of malware.

The SocGholish malware enabled attackers to gain unauthorized access to infected systems by tricking users into installing fake browser updates. This access facilitated deployment of additional malware families, potentially leading to data theft, system compromise, and further cyberattacks. The widespread infection of nearly 15,000 WordPress sites posed a significant risk to visitors and the broader internet ecosystem. The takedown and cleaning of these sites reduce the risk of ongoing exploitation and propagation of malware linked to Evil Corp.

Law enforcement agencies have already cleaned the infected WordPress sites and taken down associated servers, significantly disrupting the threat. Website owners are advised to change all credentials, enable multi-factor authentication, remove unknown WordPress accounts, and keep their WordPress installations up to date to prevent reinfection. No additional immediate action is required beyond these recommended security practices.