Operation Endgame vs. SocGholish Fake Updates
Essential information
- Published
- 18/06/2026 16:53
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bumblebee danabot domain shadowing doppelpaymer evilcorp fake updates hades icedid initial access broker lockbit operation endgame pikabot qakbot ransomhub rhadamanthys smokeloader socgholish traffic distribution system trickbot venomrat wastedlocker wordpress compromise
- Related entities
- 12 indicators, 12 observables, 1 intrusion sets (apt), 18 techniques (mitre), 17 malware
Description
A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...