Operation Endgame Seizes 106 SocGholish Servers, Cleans 14,971 WordPress Sites via International Sinkholing

Law enforcement action targeted SocGholish infrastructure active since 2017, a JavaScript downloader distributed through compromised sites using direct injection and domain shadowing. Shadowserver telemetry shows the majority of the 14,971 cleaned sites were in the US, Germany, and France, with subdomains quietly created under legitimate apex domains to mask C2 traffic. The operation also disrupted loaders such as Gholoader and MintsLoader that chained to LockBit, AsyncRAT, and RomCom payloads.

Procurement records and prior Europol notices indicate Endgame began in 2024 with coordinated sinkholing of multiple commodity botnets rather than high-profile ransomware crews alone. This pattern reveals a deliberate focus on initial-access brokers whose infrastructure supplies multiple downstream groups, including Evil Corp and RansomHub affiliates. Website owners received remediation notices requiring CMS updates and credential rotation, yet the layered delivery model means residual infections may persist through unpatched plugins.

The disruption exposes systemic supply-chain exposure in the WordPress ecosystem, where domain shadowing and traffic-distribution-system partnerships allow persistent footholds without obvious defacement. Cross-referencing with Arctic Wolf reporting from November 2025 shows SocGholish continued serving Mythic agents to RomCom operators even after earlier takedown attempts, indicating rapid infrastructure regeneration.

Next indicators will appear in registrar abuse reports and renewed subdomain creation within 60 days; sustained pressure on TDS operators like TA2726 will determine whether follow-on loader activity declines measurably.