SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational

key: item:operation-endgame-expands-to-socgholish-ta569-106-c2-servers. The Operation Endgame takedown (§ 5) was the headline; Proofpoint's post-action analysis is the status update that matters for the longer arc. TA569 served for years as a primary distribution layer for WastedLocker (Evil Corp), LockBit and RansomHub, and while law enforcement seized over 100 servers and 14,971 WordPress sites were remediated, seven FakeUpdates-style clusters remain operational — TA2726, TA2727, ZPHP, ErrTraffic (the ClickFix MaaS in § 6), LandUpdate808/KongTuke, GeoTDS and tdsshop (Proofpoint, 2026-06-18; daily 06-19). Proofpoint also notes WordPress sites frequently reinfect because the underlying credential compromise outlives CMS-level cleanup. The defender consequence: the fake-update initial-access vector is degraded, not closed — keep GPO restrictions on JScript/WSH execution from user-writable paths, browser isolation for email links, and (for WordPress operators) full credential rotation plus FIM after any cleanup, because removing the loader without rotating credentials invites reinfection.