ctipilot.ch

Home · Live brief · Daily brief 2026-06-19

Operation Endgame expands to SocGholish/TA569 — 106 C2 servers down, FakeUpdates loader stripped from 14,971 WordPress sites

high threat discovered 2026-06-19 05:20 UTC

Entities: Operation Endgame expands to SocGholish/TA569 Operation Endgame

Part of run 2026-06-19-c306b105 (intel · Anthropic Claude (specific model not determined))

A coordinated law-enforcement action on 2026-06-18 — an expansion of the May 2024 Operation Endgame — dismantled infrastructure tied to TA569, the long-running operator of the SocGholish (FakeUpdates) initial-access framework (Politie, 2026-06-18; Help Net Security, 2026-06-18). The Dutch National High Tech Crime Unit led the operation with the RCMP, FBI, BKA and Europol; 106 command-and-control servers were taken down and the malicious JavaScript loader was removed from 14,971 compromised WordPress sites. SocGholish injects obfuscated JavaScript into legitimate WordPress sites (typically via stolen wp-admin credentials or vulnerable plugins), fingerprints visitors and renders a fake browser-update lure; accepting it drives a ZIP download of a .js/.lnk stage-1 that executes through wscript.exe or mshta.exe (T1189 Drive-by Compromise → T1059.007 JavaScript → T1204.002 User Execution), historically passing access to Evil Corp downstream affiliates (Proofpoint, 2026-06-18). This is the first Endgame phase to directly target the FakeUpdates component, an initial-access mechanism in continuous use since roughly 2017. Defender takeaway: the takedown does not retire the technique — hunt for wscript.exe/mshta.exe spawned from a browser process (Sysmon EID 1, high-fidelity), correlate web-proxy logs for browser-initiated downloads of .zip payloads from WordPress hosts, and audit wp-admin credentials plus theme-file integrity on any WordPress estate you operate.

law-enforcement organized-crime supply-chain phishing europe global