Operation Endgame Strengthens Global cybersecurity by Disrupting SocGholish and StealC Malware Networks
In a significant move against cybercrime, Operation Endgame has successfully dismantled critical infrastructure supporting the SocGholish, Amadey, and StealC malware families. This coordinated effort, led by Europol and Eurojust, involved international law enforcement agencies and private sector partners, resulting in the seizure of over EUR 41 million in criminal cryptocurrency assets, the recovery of approximately 27 million stolen login credentials, and the disruption of hundreds of servers and domains used for malware distribution.
The operation underscores a growing commitment among nations to combat cyber threats that increasingly target critical infrastructure, financial systems, and individual privacy. By targeting the underlying infrastructure rather than just individual malware variants, authorities aim to disrupt the entire ecosystem that enables cybercriminal activities.
Targeting Cybercrime Infrastructure
During the operation, law enforcement and industry partners focused on dismantling the infrastructure that supports malware delivery, rather than isolating specific malware families. This strategic approach led to actions against 326 servers and 142 domains, significantly disrupting malware distribution channels. The coordinated effort not only restricted criminal cryptocurrency assets valued at over EUR 41 million (approximately USD 47 million) but also recovered a staggering 27 million stolen login credentials.
According to Europol, the operation aimed to disrupt the “assembly line” used by cybercriminals to gain initial access to victim systems before deploying ransomware or stealing sensitive information. This proactive strategy is designed to increase operational costs for threat actors and complicate large-scale cyberattacks.
Image Source: Europol
Image Source: Europol
The Role of SocGholish, Amadey, and StealC Malware
The operation specifically targeted three malware families that are frequently offered under the cybercrime-as-a-service model:
-
SocGholish: This malware acted as a loader, distributing fake browser updates through compromised WordPress websites. Users who installed these updates unknowingly infected their systems, allowing attackers to gain initial access and later deploy ransomware or other malicious tools.
-
StealC: Primarily focused on harvesting sensitive information stored on infected devices, StealC targeted passwords, authentication data, and digital identities. The stolen information was often used for fraud or traded within cybercriminal marketplaces.
-
Amadey: Distributed mainly through phishing campaigns, Amadey provided attackers with initial access to compromised systems while also offering capabilities for information theft.
Microsoft reported that during the first two weeks of May 2026 alone, Amadey and StealC malware were linked to over 140,000 infected computers worldwide.
Remediation of Infected WordPress Sites
One of the largest actions under Operation Endgame targeted SocGholish, also known as FakeUpdates. Authorities remediated 14,971 infected WordPress websites, which included sites belonging to restaurants, automotive repair businesses, and other organizations. Investigators also disabled the SocGholish botnet by taking control of domains and shutting down supporting servers.
Website owners whose credentials had been compromised were notified through various platforms, including Have I Been Pwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and NL-NCSC. The Dutch Police urged WordPress administrators to change passwords, enable multi-factor authentication, remove unknown administrator accounts, and keep their websites updated to mitigate future risks.
SocGholish Linked to Evil Corp
Authorities have linked SocGholish to Evil Corp, a notorious Russian cybercriminal group previously associated with the Zeus and Dridex malware families, as well as multiple ransomware and money laundering operations. This connection highlights the broader implications of the operation, which aims not only to disrupt malware operators but also to dismantle the infrastructure that supports cybercriminal activities.
Europol emphasized that this strategy increases operational costs for threat actors and complicates the execution of large-scale cyberattacks. By disrupting the entire ecosystem, authorities hope to create a more challenging environment for cybercriminals.
Europol Coordinates Global Cyber Operation
Europol’s European Cybercrime Centre (EC3) played a crucial role in coordinating operational intelligence sharing through SIENA, while providing analytical, technical, and cryptocurrency tracing support throughout the investigation. This operation is part of a larger initiative described by Europol as the most extensive international effort to disrupt ransomware enablers worldwide.
Officials noted that the latest disruption reflects a growing international strategy of targeting the infrastructure that enables cybercrime operations, rather than merely responding after attacks have occurred. This proactive approach is essential in an era where cyber threats are becoming increasingly sophisticated and pervasive.
For further insights into the evolving landscape of cybersecurity, visit thecyberexpress.com.
Related
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
