Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks
Coordinated actions take down criminal infrastructure; over 41 million EUR in criminal crypto assets seized
Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as part of a public-private effort.
This included law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, the US software company Microsoft and other private partners, with the international activity coordinated by Europol and Eurojust. The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.
Crypto assets of criminal origin currently valued at over 41 million EUR (47 million USD) were identified, flagged, and thereby restricted from use. Moreover, as many as 27 million stolen login credentials have been recovered as part of this operation.
During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.
“Cybercrime-as-a-service” business model
The neutralised malware variants were offered as a service (“cybercrime-as-a-service”), with other cybercriminals using them as a tool for the initial infection of targeted systems. They subsequently served as a starting point for further criminal activities, such as installing ransomware for digital extortion or fraudulent use of data.
The malware SocGholish (a so-called dropper/loader) allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.
The malware StealC (a so-called stealer with dropper function), which was spread through multiple attack vectors, was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
The malware Amadey (a so-called dropper/loader) was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had stealer capabilities and could therefore retrieve sensitive data.
A blow to cybercriminal infrastructure
During the action against SocGholish, 14 971 infected websites - including those of restaurants, auto repair shops, and other everyday services - were remediated. SocGholish is linked to the Russian cyber‑criminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.
Key actions included:
Cleaning infected WordPress sites and notifying victims, urging them to update their platforms and strengthen login credentials.
Disabling the SocGholish botnet by taking over domain names and taking servers offline.
Victim notifications via platforms like HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver and NL-NCSC, alerting website owners whose credentials were leaked.
Call to WordPress users
The Dutch Police have already removed vulnerabilities from infected sites and notified owners. WordPress users are urged to:
change their login credentials;
enable multi‑factor authentication;
delete any unknown additional WordPress accounts;
keep their WordPress site up‑to‑date in the future.
Prevent your computer from being infected by SocGholish malware
SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. With this so-called initial access, even more dangerous software can then be installed.
Watch out for the following signs to avoid this:
Never trust pop‑ups that appear in your browser.
Do not trust updates that are overly flashy and scream for immediate action.
Do not trust updates just because they look very legitimate.
A genuine update always comes from the official source, for example via your system settings or the app store.
A new approach: targeting the cybercrime “assembly line”
This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyberattacks to scale. Amadey and StealC, two widely used malware tools, were targeted by Microsoft in tandem due to their interconnected roles.
Amadey gains initial access to devices, while StealC extracts passwords and sensitive data. Together, they form a critical link in the cybercrime supply chain. According to insight collected by Microsoft, in just the first two weeks of 2026 May, Amadey and StealC were linked to over 140 000 infected computers worldwide.
Europol’s support
Europol played a central role in this international operation by providing operational coordination and facilitating seamless collaboration among law enforcement agencies from the participating countries. It ensured real-time information sharing via SIENA, enabling synchronised efforts across borders.
Europol’s European Cybercrime Centre (EC3) delivered critical analytical and technical support, conducting crosschecks on attribution, infrastructure, and financial investigations. The EC3 also provided cyber intelligence for victim notifications and shared actionable insights with public and private partners. Europol’s crypto tracing experts contributed by tracking illicit financial flows and identifying assets. Additionally, Europol coordinated prevention strategies to ensure a unified response and provided strategic oversight through the Joint Cybercrime Action Taskforce (J-CAT), aligning national investigations under a cohesive framework.
International law enforcement initiate hunt on malware group SocGholish
In Operation Endgame, a major operation this week disrupted a key infection chain used
by cybercriminals. Within an international cooperation, 14.971 websites infected with
SocGholish malware were remediated. This malware is used by a criminal group that plays
a pivotal role in international cybercrime, namely: Evil Corp.
SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors,
with the aim of gaining unauthorized access to their computer systems.
WordPress is the world’s most widely used platform for building websites. According to
WordPress, more than 43% of all websites on the internet are powered by WordPress.
The login credentials of 1.4 million websites have been leaked. That means these sites
are vulnerable to malware infection. About 14.971 sites that provide everyday services
have been infected with this malware. This includes websites of restaurants or auto‑garages.
Maikel Rollman, National High Tech Crime Unit: “With these actions we deprive cybercriminals
of access to infected computer systems. This prevents further damage to the digital systems
of citizens, businesses and organizations worldwide and limits the spread of malware.
It also reduces the risk that these systems are used for cyber‑attacks on critical
infrastructure and other essential societal processes. This marks the beginning of further
action against SocGholish.”
14.971 websites remediated and disruption of the SocGholish botnet
In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and
Germany (BKA), with support from Europol and Eurojust, delivered a major blow to
SocGholish’s criminal infrastructure during a joint action week.
Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated.
In addition, the following actions were carried out:
Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
Disabling the SocGholish botnet by taking over domain names and taking servers offline.
Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).
Call to all WordPress website owners
The Dutch police have removed backdoors and malware from the infected WordPress sites.
The owners of these sites have been informed. They are urged to:
change their login credentials;
enable multi‑factor authentication;
delete any unknown additional WordPress accounts;
keep their WordPress site up‑to‑date in the future.
Do you also have a WordPress website? Prevent yourself from becoming a victim in the future
by applying these security steps.
Prevent your computer from being infected by SocGholish malware
SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software
updates, for example for internet browsers. When someone installs a fake update, the
malware opens a connection to the hackers, who subsequently gain access to the computer
system. Whit this so-called initial access, even more dangerous software can then be installed.
Tips to prevent infection:
Never trust pop‑ups that appear in your browser.
Do not trust updates that are overly flashy and scream for immediate action.
Ensure you have an up-to-date virus scanner and leave it enabled during the installation of new software.
A genuine update always comes from the official source, for example via your system settings or the app store.
SocGholish malware and Evil Corp
SocGholish has been a constant threat since 2017 and is used to install malware on users,
including various ransomware strains that have been employed to attack critical infrastructures.
This has resulted in many victims. This is primarily done by hacking websites built with
WordPress and infecting them with malware.
SocGholish is linked to the Russian cybercriminal group Evil Corp. This group has previously
been responsible for Zeus and Dridex malware and is also associated with several large‑scale
ransomware and money‑laundering operations.
End of the game for cybercrime infrastructure: 1025 servers taken down
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated
from Europol’s headquarters in The Hague. The actions targeted one of the biggest
infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium,
all of which played a key role in international cybercrime.
Authorities took down these three large cybercrime enablers.
The main suspect for VenomRAT was arrested in Greece on 3 November 2025.
The infrastructure dismantled during the action days was responsible for infecting
hundreds of thousands of victims worldwide with malware. The dismantled malware
infrastructure consisted of hundreds of thousands of infected computers containing
several million stolen credentials. Many of the victims were not aware of the infection
of their systems. The main suspect behind the infostealer had access to over 100.000
crypto wallets belonging to these victims, potentially worth millions of euros.
Check if your computer has been infected and what to do if so:
https://www.politie.nl/checkyourhack and https://haveibeenpwned.com.
Operation ENDGAME strikes again: the ransomware kill chain broken at its source
Cybercriminals around the world have suffered a major disruption after
law enforcement and judicial authorities, coordinated by Europol and Eurojust,
dismantled key infrastructure behind the malware used to launch ransomware attacks.
From 19 to 22 May, authorities took down some 300 servers worldwide, neutralised 650
domains, and issued international arrest warrants against 20 targets, dealing a
direct blow to the ransomware kill chain.
In addition, EUR 3.5 million in cryptocurrency was seized during the action week,
bringing the total amount seized during Operation Endgame to EUR 21.2 million.
This latest phase of Operation ENDGAME follows on from the largest-ever
international action against botnets in May 2024. It targeted new malware variants
and successor groups that re-emerged after last year’s takedowns, reinforcing
law enforcement’s capacity to adapt and strike back – even as cybercriminals
retool and reorganise.
Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns
In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet,
operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches,
arrest warrants or ‘knock and talks’. Superstar used his botnet to run a pay-per-install service,
enabling customers to gain access to victims’ machines.
Customers used the service to deploy malware
for their own criminal activities. Investigations revealed that botnet access was purchased for a
range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more.
Law enforcement tracked down the customers as they were registered in a database seized during
Operation Endgame.
Robust international actions against illicit virtual currency exchanges
Operation Endgame continues taking actions to disrupt the cybercriminal ecosystem. In the last week,
multiple cryptocurrency exchanges were taken offline by international law enforcement agencies and
judicial authorities. These service providers facilitated many different criminal financial flows, such
as ransomware.
Money laundering facilitates all kinds of serious crime and enables criminals to stay out of reach of
investigative authorities. Service providers have an obligation to investigate whether money may have a
criminal origin. Knowingly accepting cryptocurrencies derived from crime and thus facilitating money
laundering is always punishable by law.
Several botnets dismantled in largest international operation
During a joint action by international law enforcement agencies and judicial authorities several botnets
that played a key role in cybercrime were dismantled. Four arrests were made and sixteen premises were
searched worldwide over the past few days. Additionally, eight summons were served against suspects. Many
national and international organisations in the public and private sectors also played an important role in
this operation.
The operation enabled us to simultaneously take down these botnets and disrupt the infrastructure used by
cybercriminals. Botnets are used for different types of cybercrime, for example ransomware. The dismantled
botnets consisted of millions of infected computer systems.
Many of the victims were not aware of the infection of their systems. The estimated financial loss these
criminals have caused to companies and government institutions amounts to hundreds of millions of euros.
This large-scale action is called Operation Endgame.
Operation Endgame does not end today. New actions will be announced on this website.
If you have information about the suspects in Operation Endgame, feel free to contact us