Operation Endgame vs. SocGholish Fake Updates
June 18, 2026, 8:37 p.m.
Description
A multinational law enforcement operation called Operation Endgame has successfully disrupted SocGholish, a malware framework operated by threat actor TA569 since 2017. The operation took down 106 servers and domains and remediated nearly 15,000 compromised WordPress websites. SocGholish uses fake browser update prompts on compromised websites to trick victims into downloading malicious JScript payloads, providing initial access to corporate networks for ransomware deployment and data breaches. Analysis revealed that 55% of Infoblox cloud customers were exposed to SocGholish in 2026, demonstrating widespread impact across multiple industries including government, education, and healthcare. The framework employs domain shadowing techniques and operates through a four-stage attack chain involving traffic acquisition, filtering, fake update lures, and on-device implant execution. SocGholish infrastructure has facilitated access for various ransomware families and has been extensively used by the notorious Evi...
Tags
Date
- Created: June 18, 2026, 2:53 p.m.
- Published: June 18, 2026, 2:53 p.m.
- Modified: June 18, 2026, 8:37 p.m.
Attack Patterns
- VenomRAT
- LockBit
- Hades
- Bumblebee - S1039
- Pikabot
- Rhadamanthys
- DoppelPaymer
- RansomHub
- TrickBot - S0266
- QuackBot
- IcedID - S0483
- TSPY_TRICKLOAD
- WastedLocker - S0612
- QakBot - S0650
- DanaBot
- SocGholish
- Smokeloader
- GOLD PRELUDE
Additional Informations
- Finance
- Education
- Hospitality
- Technology
- Healthcare
- Government
- app-front.anmaradigital.com
- billing.roofnrack.us
- platform.exathomeswebuyarizona.com
- samples.addisgraphix.com
- shop.steadycompanion.com
- promo.summat10n.org
- storehouse.beautysupplysalonllc.com
- devel.asurans.com
- api-app.uppercrafteroom.com
- pa-portal.benningtonspringsmhp.com
- trademark.iglesiaelarca.com
- content.garretttrails.org