• BCLCC - Brigade Centrale de Lutte Contre la Cybercriminalité logo
  • National enhed for Særlig Kriminalitet logo
  • Europol logo
  • Federal Bureau of Investigation logo
  • JUNALCO logo
  • National Crime Agency logo
  • Office anti-cybercriminalité logo
  • Openbaar Ministerie logo
  • Politie logo
  • FIOD logo
  • Unité nationale cyber de la Gendarmerie nationale logo
  • United States Secret Service logo
  • DCIS logo
  • Eurojust logo
  • Bundeskriminalamt logo
  • Royal Canadian Mounted Police logo
  • Ottawa Police Service logo
  • Belgian Federal Police logo
  • Australian Federal Police logo

News

Previously in Endgame

Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks

Coordinated actions take down criminal infrastructure; over 41 million EUR in criminal crypto assets seized

Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as part of a public-private effort.

This included law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, the US software company Microsoft and other private partners, with the international activity coordinated by Europol and Eurojust. The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.

Crypto assets of criminal origin currently valued at over 41 million EUR (47 million USD) were identified, flagged, and thereby restricted from use. Moreover, as many as 27 million stolen login credentials have been recovered as part of this operation.

During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.

“Cybercrime-as-a-service” business model

The neutralised malware variants were offered as a service (“cybercrime-as-a-service”), with other cybercriminals using them as a tool for the initial infection of targeted systems. They subsequently served as a starting point for further criminal activities, such as installing ransomware for digital extortion or fraudulent use of data.

  • The malware SocGholish (a so-called dropper/loader) allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.
  • The malware StealC (a so-called stealer with dropper function), which was spread through multiple attack vectors, was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
  • The malware Amadey (a so-called dropper/loader) was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had stealer capabilities and could therefore retrieve sensitive data.

A blow to cybercriminal infrastructure

During the action against SocGholish, 14 971 infected websites - including those of restaurants, auto repair shops, and other everyday services - were remediated. SocGholish is linked to the Russian cyber‑criminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.

Key actions included:

  • Cleaning infected WordPress sites and notifying victims, urging them to update their platforms and strengthen login credentials.
  • Disabling the SocGholish botnet by taking over domain names and taking servers offline.
  • Victim notifications via platforms like HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver and NL-NCSC, alerting website owners whose credentials were leaked.

Call to WordPress users

The Dutch Police have already removed vulnerabilities from infected sites and notified owners. WordPress users are urged to:

  • change their login credentials;
  • enable multi‑factor authentication;
  • delete any unknown additional WordPress accounts;
  • keep their WordPress site up‑to‑date in the future.

Prevent your computer from being infected by SocGholish malware

SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. With this so-called initial access, even more dangerous software can then be installed.

Watch out for the following signs to avoid this:

  • Never trust pop‑ups that appear in your browser.
  • Do not trust updates that are overly flashy and scream for immediate action.
  • Do not trust updates just because they look very legitimate.
  • A genuine update always comes from the official source, for example via your system settings or the app store.

A new approach: targeting the cybercrime “assembly line”

This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyberattacks to scale. Amadey and StealC, two widely used malware tools, were targeted by Microsoft in tandem due to their interconnected roles.

Amadey gains initial access to devices, while StealC extracts passwords and sensitive data. Together, they form a critical link in the cybercrime supply chain. According to insight collected by Microsoft, in just the first two weeks of 2026 May, Amadey and StealC were linked to over 140 000 infected computers worldwide.

Europol’s support

Europol played a central role in this international operation by providing operational coordination and facilitating seamless collaboration among law enforcement agencies from the participating countries. It ensured real-time information sharing via SIENA, enabling synchronised efforts across borders.

Europol’s European Cybercrime Centre (EC3) delivered critical analytical and technical support, conducting crosschecks on attribution, infrastructure, and financial investigations. The EC3 also provided cyber intelligence for victim notifications and shared actionable insights with public and private partners. Europol’s crypto tracing experts contributed by tracking illicit financial flows and identifying assets. Additionally, Europol coordinated prevention strategies to ensure a unified response and provided strategic oversight through the Joint Cybercrime Action Taskforce (J-CAT), aligning national investigations under a cohesive framework.

International law enforcement initiate hunt on malware group SocGholish

In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14.971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp.

SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites. According to WordPress, more than 43% of all websites on the internet are powered by WordPress. The login credentials of 1.4 million websites have been leaked. That means these sites are vulnerable to malware infection. About 14.971 sites that provide everyday services have been infected with this malware. This includes websites of restaurants or auto‑garages.

Maikel Rollman, National High Tech Crime Unit: “With these actions we deprive cybercriminals of access to infected computer systems. This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware. It also reduces the risk that these systems are used for cyber‑attacks on critical infrastructure and other essential societal processes. This marks the beginning of further action against SocGholish.”

14.971 websites remediated and disruption of the SocGholish botnet

In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.

Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

  • Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
  • Disabling the SocGholish botnet by taking over domain names and taking servers offline.
  • Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

Call to all WordPress website owners

The Dutch police have removed backdoors and malware from the infected WordPress sites. The owners of these sites have been informed. They are urged to:

  • change their login credentials;
  • enable multi‑factor authentication;
  • delete any unknown additional WordPress accounts;
  • keep their WordPress site up‑to‑date in the future.

Do you also have a WordPress website? Prevent yourself from becoming a victim in the future by applying these security steps.

Prevent your computer from being infected by SocGholish malware

SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. Whit this so-called initial access, even more dangerous software can then be installed.

Tips to prevent infection:

  • Never trust pop‑ups that appear in your browser.
  • Do not trust updates that are overly flashy and scream for immediate action.
  • Ensure you have an up-to-date virus scanner and leave it enabled during the installation of new software.
  • A genuine update always comes from the official source, for example via your system settings or the app store.

SocGholish malware and Evil Corp

SocGholish has been a constant threat since 2017 and is used to install malware on users, including various ransomware strains that have been employed to attack critical infrastructures. This has resulted in many victims. This is primarily done by hacking websites built with WordPress and infecting them with malware.

SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.

End of the game for cybercrime infrastructure: 1025 servers taken down

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was arrested in Greece on 3 November 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100.000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so: https://www.politie.nl/checkyourhack and https://haveibeenpwned.com.

Operation ENDGAME strikes again: the ransomware kill chain broken at its source

Cybercriminals around the world have suffered a major disruption after law enforcement and judicial authorities, coordinated by Europol and Eurojust, dismantled key infrastructure behind the malware used to launch ransomware attacks. From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets, dealing a direct blow to the ransomware kill chain.

In addition, EUR 3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during Operation Endgame to EUR 21.2 million.

This latest phase of Operation ENDGAME follows on from the largest-ever international action against botnets in May 2024. It targeted new malware variants and successor groups that re-emerged after last year’s takedowns, reinforcing law enforcement’s capacity to adapt and strike back – even as cybercriminals retool and reorganise.

Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns

In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks’. Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines.

Customers used the service to deploy malware for their own criminal activities. Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame.

Robust international actions against illicit virtual currency exchanges

Operation Endgame continues taking actions to disrupt the cybercriminal ecosystem. In the last week, multiple cryptocurrency exchanges were taken offline by international law enforcement agencies and judicial authorities. These service providers facilitated many different criminal financial flows, such as ransomware.

Money laundering facilitates all kinds of serious crime and enables criminals to stay out of reach of investigative authorities. Service providers have an obligation to investigate whether money may have a criminal origin. Knowingly accepting cryptocurrencies derived from crime and thus facilitating money laundering is always punishable by law.

Several botnets dismantled in largest international operation

During a joint action by international law enforcement agencies and judicial authorities several botnets that played a key role in cybercrime were dismantled. Four arrests were made and sixteen premises were searched worldwide over the past few days. Additionally, eight summons were served against suspects. Many national and international organisations in the public and private sectors also played an important role in this operation.

The operation enabled us to simultaneously take down these botnets and disrupt the infrastructure used by cybercriminals. Botnets are used for different types of cybercrime, for example ransomware. The dismantled botnets consisted of millions of infected computer systems.

Many of the victims were not aware of the infection of their systems. The estimated financial loss these criminals have caused to companies and government institutions amounts to hundreds of millions of euros.

This large-scale action is called Operation Endgame.

Operation Endgame does not end today. New actions will be announced on this website.

If you have information about the suspects in Operation Endgame, feel free to contact us

Partners

  • IBM X-Force logo
  • Infoblox logo
  • Shadowserver logo
  • Cryptolaemus logo
  • Team Cymru logo
  • Prodaft logo
  • Proofpoint logo
  • Sekoia logo
  • Zscaler logo
  • Abuse.ch logo
  • Spamhaus logo
  • Have I Been Pwned logo
  • Bitdefender logo
  • Crowdstrike logo
  • Lumen logo
  • Spycloud logo
  • Trellix logo
  • ESET logo
  • Microsoft logo
  • DIVD logo
  • NCSC logo