Dutch-Led Seizure of 100+ Servers Disrupts SocGholish Botnet Tied to Evil Corp

The operation targeted SocGholish distribution domains and command infrastructure used for fake update prompts on compromised sites. Dutch NHTCU removed backdoors from thousands of infected WordPress instances and notified owners while seizing domains. Infoblox telemetry confirmed the scale of the initial foothold delivery mechanism active since 2017. Technical evidence centers on domain and server takedowns rather than full actor attribution.

Evidence trails link SocGholish to Evil Corp via historical Dridex code overlaps and sanctions records from 2019. The same infrastructure has routed to DoppelPaymer, LockBit and RansomHub deployments according to Infoblox sinkhole data. Official statements attribute the botnet directly to the sanctioned group while independent malware samples show code reuse patterns common across multiple Russian-language crews rather than exclusive control.

Repeated law enforcement actions against Evil Corp infrastructure demonstrate limited long-term effect because operators rapidly rebuild distribution layers. The current disruption removes one access broker but leaves downstream ransomware affiliates untouched. Procurement patterns in Russian cybercrime forums indicate continued investment in similar web inject mechanisms.

Further domain seizures are already signaled by Dutch authorities. Expect re-emergence of SocGholish variants within 60-90 days unless sinkholing continues at scale.