Select your country

Not finding what you are looking for, select your country from our regional selector:

Søk

| Blogg

Operation Endgame: crackdown on cybercriminal networks behind SocGholish, Amadey and StealC malwares

An Orange Cyberdefense employee working at a computer workstation.

TLTR

  • On June 18, 2026, a new crackdown led by Europol, as part of Operation Endgame, targeted the cybercriminal infrastructure behind the malware tools SocGholish, Amadey, and StealC
  • As part of the operation, over 14,971 infected sites were cleaned. Additionally, 326 C2 servers and 142 illicit domain names were dismantled. A significant amount of illicitly obtained crypto assets, valued at €41 million, along with 27 million stolen credentials, were recovered ; 
  • Despite the scale of this crackdown, the threat remains, with cybercriminals showing increasing adaptability, which requires ongoing surveillance, regular system updates, and strengthened collaboration between the public and private sectors. In this context, relying on in-depth expertise and threat intelligence is a key asset for authorities and law enforcement agencies.

A new milestone in the fight against cybercrime

On June 18, 2026, a law enforcement operation as part of Operation Endgame (1) significantly curtailed some of the most harmful cybersecurity threats known as SocGholish, Amedey and StealC malware operators. Led by Europol in coordination with authorities from the Netherlands, Canada, the United States, and Germany, this operation resulted in the cleanup of over 14,971 compromised websites and the takedown of 326 command and control (C2) servers and 142 illicit domains. Additionally, 27 million stolen credentials were recovered (2). It is important to provide the context of this crackdown to fully appreciate its impact. This article offers an in-depth analysis of SocGholish, a threat monitored for years by the Orange Cyberdefense CERT, highlighting its methods, its role within the cybercriminal ecosystem, and what this disruption means for defenders.

Malware networks under attack: SocGholish, Amadey, and StealC

This latest instalment of Operation Endgame dealt a serious blow to three malware operators:

  1. SocGholish malware allowed cybercriminals to access computer systems by distributing fake browser updates via compromised websites. Instead of the legitimate update, users inadvertently installed the malware. This method, which caused many victims, primarily spread by infecting websites built with CMS platforms like WordPress or Joomla. The initial unauthorized access then served as a backdoor exploited for other malicious activities, such as installing ransomware for digital extortion ; 
  2. StealC malware was mainly designed to extract sensitive information such as passwords and digital credentials from compromised computers, with the aim of selling them on the dark web for fraudulent use ; 
  3. Amadey malware was primarily distributed through phishing campaigns. As the first link in a broader attack chain, it was capable of introducing additional malware into compromised systems. This malware also facilitated data theft, allowing it to retrieve sensitive information.

What is SocGholish? More than just Malware

Orange Cyberdefense experts contributed to these arrests by sharing their threat knowledge with authorities. Since 2017, they have been tracking the activity of the group behind SocGholish, and to give you an idea of the damage that just one of these three malware can cause, let's focus on this one.

The Initial Access Broker

The Initial Access Broker First and foremost, it's important to clarify that SocGholish is not typically the final step in an attack. It is a JavaScript-based downloader, and its primary operator - a Russian-speaking, financially motivated threat actor - functions as an Initial Access Broker (IAB). This group is tracked under various aliases across the security industry, including TA569, UNC1543, Mustard Tempest, and GOLD PRELUDE.

An IAB's business model is simple yet effective: they specialize in gaining initial entry into corporate and personal networks and then sell that access to other criminal groups. These "customers" then deploy their own malicious payloads, such as ransomware, spyware, or banking trojans. In essence, SocGholish is at the beginning of the cyber kill chain and not the final blow. Active since at least 2017, its longevity and widespread use have made it a cornerstone of the Cybercrime-as-a-Service economy.

Anatomy of a SocGholish Attack

The Orange CyberdefenseCSIRT team had the opportunity to document the infection chain employed by TA569, which is remarkably consistent and relies heavily on social engineering.

  • Step 1: The website Compromise  

The attack begins with the compromise of legitimate websites. TA569 exploits known vulnerabilities in popular Content Management Systems (CMS) like WordPress, Joomla, and Drupal, or stolen credentials, to inject malicious JavaScript code into their pages. As the recent press release highlights, with over 43% of the Internet powered by WordPress, the potential attack surface is immense. These compromised sites can range from local restaurants to national news organizations. 

  • Step 2: The "Fake Update" Lure  

When a user visits a compromised site, the injected script executes itself. However, the lure is not shown to everyone. The operators rely on a mix of Traffic Direction Systems (TDS) for geofencing and browser/IP filtering, to remain highly selective. This means the malicious pop-up is delivered only to chosen targets, which reduces the observability of these attacks and complicates automated inspection by security solutions including non-advanced file sandboxes. For a targeted user, the script displays a highly convincing, yet fake, pop-up alert urging to update the browser used (e.g. Google Chrome or Mozilla Firefox). 

  • Step 3: The Payload Execution  

If the user falls for the trick and clicks the download button, a ZIP file containing a malicious JavaScript file is saved to their machine. The user is then tricked into executing this file, believing they are installing a legitimate update. This action triggers the SocGholish downloader, establishing a foothold on the victim's system. 

  • Step 4: The Follow-on Malware  

Once active, SocGholish connects to its C2 infrastructure and deploys a variety of second-stage payloads. We have observed it delivering loaders like Gholoader and MintsLoader, which in turn lead to more dangerous malware. Examples of final payloads delivered via SocGholish include:

- GhostWeaver: PowerShell backdoor stealing credentials and cryptocurrency wallet information from web forms.

- Ransomware: historically, SocGholish was a key entry point for LockBit affiliates and, has been observed leading to RansomHub deployments.

- Remote Access Trojans (RATs): AsyncRAT orNetSupport RAT have been deployed to give attackers full control over a compromised system.

SocGholish uses a layered delivery model and has been observed enabling multiple categories of follow-on payloads.

A Crowded and Collaborative Underworld

SocGholish activity is tied to a broader, fragmented criminal ecosystem in which all steps of an attack—from initial access to monetization—can be separated. This "cybercriminal supply chain" places IABs, TDS operators, and ransomware groups in specific, interconnected roles. 

  • Key Alliances: The link between SocGholish and the notorious Russian cybercrime syndicate Evil Corp is well-established and was reaffirmed in the Operation Endgame press release.  

  • Specialized Services: To maximize its reach, TA569 collaborates with other actors like TA2726, which operates a Traffic Direction System (TDS). This service helps filter and redirect victims toward the SocGholish infection chain, optimizing the process for the attackers. 

  • The "Copycat" Problem: The success of the Fake Updates model has inspired numerous copycat actors. Groups like TA2727 use similar JavaScript injects and lures to distribute their own malware, including information stealers like Lumma and DeerStealer. These new threat actors leveraging a similar business model complicates attribution and demonstrates the widespread adoption and effectiveness of these techniques. 

Operation Endgame's Impact and Our Recommendations

The actions taken during Operation Endgame are a significant blow to this kind of threat actor’s operations. Here, by disinfecting tens of thousands of websites, taking down C2 servers, and seizing domains, law enforcement has directly attacked the group's infrastructure. Even if these disruptions do not always totally cease the malicious actions, they increase the cost and complexity of their attacks and provide a window of opportunity for defenders to bolster their security.

Based on our intelligence and the guidance from law enforcement, we provide the following recommendations:

For Website Administrators:

  • Update your CMS: keep your CMS like WordPress, Joomla etc., plugins, and themes constantly updated to prevent vulnerabilities from being exploited. 

  • Strengthen Credentials: strengthen all administrative passwords and avoid using default or easily guessable credentials. 

  • Enable Multi-Factor Authentication (MFA): configure MFA to provide a critical, second layer of security that prevents unauthorized access if credentials are stolen. 

  • Audit Accounts: regularly check for and delete any unknown or suspicious user accounts on your website's backend. 

For End-Users:

  • Be Skeptical of Pop-ups: never trust a software update that comes from a pop-up in your browser. 
  • Use Official Sources: legitimate updates for your browser, OS, or applications will come through the software's official update mechanism or your system's app store, and not from a random website. 

For Security Teams:

  • Leverage Threat Intelligence: The C2 infrastructure for SocGholish is known to rotate frequently (every 2-5 days). Subscribing to timely and actionable threat intelligence feeds like the one provided by Orange Cyberdefense is crucial for blocking connections to new malicious domains and IPs.

Defeat modern cybercrime by leveraging cyber threat intelligence

SocGholish represents a resilient, sophisticated, and highly effective threat that sits at the nexus of the modern cybercrime intertwined economy. Operation Endgame has again attempted to disrupt a critical IAB and protected countless potential victims. 

However, the actors behind these threats are known for their adaptability. While this operation has closed a significant chapter on SocGholish's activities, we fully expect TA569 and its customers to regroup, retool, and attempt to rebuild their infrastructure. The Orange Cyberdefense CERT will continue its monitoring to provide proactive defense on such threats, and keep fostering public-private collaboration which remains the most powerful response.

Sources

(1) Launched in 2024, Operation Endgame is the largest international operation ever undertaken to combat ransomware and cybercrime worldwide. Operation Endgame brings together law enforcement and judicial authorities from The Netherlands, Germany, Denmark, the United States, Australia, France, Belgium, the United Kingdom and Canada, with support from Europol and Eurojust. Together, they work in close coordination across borders to disrupt cybercriminal networks, including with private parties to make the digital world as safe as possible.

(2) « Global cyber strike disrupts SocGholish, Amadey, and StealCmalware networks », Europol.europa.eu, 24.06.2026 : www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks  

 

 

Related content

don't go to the police, an investigation into cybercrime

21 February 2026

Don't Go to the Police (EN)

Read more
24/7 incident hotline