Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation

Key Findings 

• Global law enforcement and private sector partners worked to disrupt activity related to TA569, as part of Operation Endgame. 
• TA569 is one of the most prominent cybercriminal threat groups in Proofpoint threat data, which our researchers have tracked since 2018.  
• TA569’s SocGholish inject activity has been linked to major ransomware families and criminal syndicates. 
• The law enforcement actions included disrupting their servers and disinfecting compromised websites.  
• Many of the actor’s compromises included websites with millions of visitors, making it a prominent threat and risk to people globally. 

Overview 

TA569 can be considered the “grandfather” of a threat type that compromises websites and uses traffic direction systems (TDS) to redirect visitors to malware. Sometimes referred to as “FakeUpdates,” its SocGholish web injects impersonate browser security updates to trick users into downloading malware, which often leads to follow-on ransomware attacks. 

What went from being a technique only used by a handful of threat actors – popularized and innovated by TA569 – web injects have become a common technique used by numerous threat clusters beyond the TA569 ecosystem including ClearFake, ZPHP, and ErrTraffic. But the original actor is now under law enforcement’s fire.  

On 18 June 2026, law enforcement announced a major disruption to TA569 activities. Together, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI), and Germany (BKA), with support from Europol, targeted SocGholish’s criminal infrastructure during a joint action week. 

The action took down over 100 servers and domains worldwide, and 14,971 websites were remediated, which served to disrupt the SocGholish botnet. To further highlight the actions and impact of SocGholish, law enforcement posted a video on Operation Endgame’s website. Proofpoint was proud to provide information related to SocGholish to support law enforcement activities. 

Based on the effects of previous Operation Endgame announcements, the SocGholish action will likely have a significant impact on TA569 operations, including disruptions to services, malware delivery, reputational and financial damage, and loss of customers.  

TL;DR on Injects 

So how do threat actors, including TA569, get access to legitimate websites?  

A malicious injection often starts with a compromise of either the hosting environment or the content management system (CMS) or application layer, such as WordPress. The attacker might gain access through password spraying, leaked or reused credentials, vulnerabilities in the hosting platform, flaws in the CMS itself, or weaknesses in plugins, themes, templates, and third-party services used by the site. 

These attacks often target outdated components, but they are not limited to known vulnerabilities. Attackers may also exploit zero-days, abandoned plugins, custom templates, or third-party dependencies that are no longer maintained. In some cases, plugin or theme developers may not realize that underlying libraries or bundled components used by their products also need security updates. This can leave sites exposed even when the CMS core appears to be current. 

Once a threat actor has gained privileged access or remote code execution (RCE) on the website, they will often try to establish additional ways back in if the original access point is blocked. In some cases, the actor may even patch the original access point to prevent other threat actors from using the same vulnerability. Persistence can be established in several ways, such as adding or modifying users in the hosting environment or CMS, placing PHP backdoors outside the control of the CMS, or installing legitimate plugins that the threat actor knows are vulnerable to their own exploits. 

One common way to maintain persistence is to install fake CMS plugins that function as backdoors. These plugins may have benign names and may include functionality to hide themselves from the CMS administrator interface, meaning file-level access is required to discover them. These plugins may also be used to serve the actual injection. 

SocGholish / TA569 Background 

Typically, a TA569 attack chain consists of three parts: the malicious SocGholish injects served to website visitors; a traffic distribution service (TDS) responsible for determining which user receives which payload based on a variety of filtering options; and the ultimate payload, GhoLoader. TA569 is a customer of the traffic service leveraging a TDS run by TA2726 (a malicious Keitaro service) as well as the actor-owned ParrotTDS.  

As mentioned above, website compromises often occur when the threat actor gains access to WordPress websites and web servers, allowing malicious content to be injected. As part of Operation Endgame’s action against SocGholish, law enforcement was able to remove infections from identified sites to prevent further exploitation. (Advice for WordPress administrators and website owners to protect against this type of threat can be found at the end of this report.)  

Proofpoint has tracked TA569 and its related malware since 2018. Public reporting has associated TA569 / SocGholish with Evil Corp, a notorious Russian cybercriminal group whose members have been sanctioned for cyber-enabled criminal activity multiple times by western governments. Ransomware families associated with SocGholish injections over the years include Wastedlocker, LockBit, and RansomHub. 

Because compromised websites are the initial infection vector, distribution can occur in a variety of ways. From Proofpoint’s visibility, we see legitimate email traffic that contain URLs that link to compromised websites. The compromised domains redirect traffic to actor-controlled domains to deliver a malicious payload. The email messages, URLs, and domains may appear to be benign and legitimate, but they are in fact covertly routing traffic to malicious destinations. 

When someone visits a compromised website and passes filtering checks, they’re shown a page that appears to be a pop-up from their web browser, indicating their software needs to be updated. Throughout its history, TA569 has used the same “FakeUpdate” themes, inspiring many copycats, too. 

Figure: TA569 infected landing page, May 2026. 

These compromised websites are frequently exploited by multiple threat actors, creating a complex landscape of potential threats. The malicious behavior exhibited by these sites is not uniform, but instead varies significantly depending on several key factors, including the user's country of origin, the type of browser being used, and the underlying operating system. This variability makes such attacks particularly sophisticated and challenging to document, as the malicious infrastructure adapts dynamically to different user environments. For example, the Keitaro TDS instance operated by TA2726 that delivers traffic for TA569 also delivers traffic for TA2727. 

The following are examples of recently observed attack chains: 

1. USA/CAN/AUS (Windows): Compromised website  TA2726  TA569  SocGholish's injection  GhoLoader (Can lead to Ransomware in Active Directory environment).
2.  USA/CAN/GBR/NDL (Windows): TA569 (via Parrot TDS)  SocGholish's injection  GhoLoader (Can lead to Ransomware in Active Directory environment).
3.  USA (MacOS): TA2726  TA2727 ClickFix  FrigidStealer
4. GBR (MacOS): TA2726  TA2727

In one of the current iterations of TA2726 injects, the actor uses a fake WordPress plugin is to inject highly obfuscated JavaScript, padded with junk comments, into the main response of the website. This JavaScript kicks off an advanced chain loader that interacts with URLs and AJAX actions on the compromised site itself, which eventually leads to a response that injects a TA569 SocGholish URL on “platform[.]exathomeswebuyarizona[.]com” to be loaded as a JavaScript in the “<head>” tag of the compromised website. It's notable that the compromised website itself responds with this TA569 URL, indicating that the website acts as a reverse proxy since no TA2726 traffic is observed when inspecting traffic in a visitor's web browser. 

Once the first SocGholish stage, which is obfuscated with JavaScript-obfuscator, is loaded, the script will profile the browser to make sure it's not an automated bot, doesn't have DevTools open, hasn't landed on the fake update page before, and isn't an administrator on the WordPress site. Stage 1 will also collect analytics on whether the visitor passes all checks or not, and whether they will be redirected to the fake update page or not. It will then wait for the mouse to move at least ten times, and if the browser passes all checks, it will overwrite the entire content of the website with a fake browser update page. Even though the download button might look basic, it's actually advanced. Clicking it sends a ”postMessage” to a separate hidden iframe that was loaded from a “data:” URI. That iframe fetches a script from the TA569 C2 which contains the file "Google Launcher.js" (GhoLoader Stage 1, C2: “js-new[.]newtoyourgame[.]com”) as an embedded base64 blob, constructs it client-side via “URL.createObjectURL()”, and triggers the download. This means the downloaded file originates from a “blob:” URL with no direct network download trace pointing to a malicious JavaScript file. Sandboxes that simply “.click()” the button without proper cross-frame message handling will never trigger the download at all. The downloaded file is GhoLoader Stage 1 — a WSH JScript that POSTs to its C2 via “ActiveXObject('MSXML2.XMLHTTP')” and executes the response. 

Figure: TA569 response from website compromised by TA2726, June 2026.  

Figure: De-obfuscated TA569 SocGholish Stage 1, June 2026. 

TA569 indiscriminately compromises websites and is opportunistic, although sites with higher traffic numbers lead to more victims. Proofpoint has observed websites with millions of daily visitors be compromised by TA569 including prominent media and retail websites. The actor has also compromised websites in virtually every industry, from nonprofits and schools, to healthcare and hospitals, to legal and real estate organizations.  

The actions taken by law enforcement will have a major impact on the spread and effectiveness of TA569 infections, and will prevent countless people from falling victim to cybercrime.  

To dive deeper into the overall attack chain, including TA2726 delivering for other actors, related malware, and techniques, check out our previous reporting.    

Evolution of the Web Inject Ecosystem 

TA569 may be the OG of the web inject game, but Proofpoint tracks nearly a dozen different threat actor clusters involved in web inject campaigns, from TDS operations to malware delivery. Our research continues to identify thousands of compromised websites leveraged for fake update malware campaigns every month including but not limited to TA569, ZPHP, ErrTraffic, LandUpdate808 (also known as KongTuke), GeoTDS, and tdsshop threat clusters. These threat actors use compromised domains to redirect traffic to actor-controlled domains to deliver malicious payloads.  

The technique began notably increasing around 2023 and has risen significantly in recent months. The emergence of the ClickFix technique in 2024 also contributed to the rise of web inject activities. Like the “fake updates” scheme, the ClickFix trick gets people to engage with malicious content by pretending it’s an official notification from software they’re using. The technique that tells people to copy, paste, and run malicious code could be easily incorporated into existing “fake updates” or related attack chains, relying on recipients to continue blindly trusting their operating systems. 

It is possible that following the actions targeting TA569, other web injection adversaries may become more popular. While the law enforcement actions target TA569 and related malware and infections, it likely won’t significantly impact activities from TA2726, one of the TDS providers that supports TA569. 

Recommendations 

Web injects and associated malware, regardless of the actor behind them, can be hard for security teams to detect and prevent and may present difficulties in communicating the threat to end users due to the social engineering techniques and website compromises used by the threat actor. The best mitigation is defense in depth. The following is recommended:  

• Have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection.  
• Train users to identify the activity and report suspicious activity to their security teams. While the training is specific in nature, it can easily be integrated into an existing user training program.   
• A tool such as Proofpoint’s Browser Isolation can help prevent successful exploitation when compromised URLs are received via email and clicked.   
• Restrict Windows users from downloading script files and opening them in anything but a text file. This can be configured via Group Policy settings.   
• Consider disabling PowerShell for general users who do not need it for their daily workflows. 

As part of the disruption announcement, law enforcement recommends the following for WordPress website owners and administrators:  

• Enable MFA/2FA (Multi-factor authentication/Two-Factor authentication) for administrators and secure the administrator email address with MFA. 
• Restrict access to /wp-admin with IP allowlisting. 
• Limit the number of administrators. 
• Use strong, unique passwords (consider using a password manager). 
• Enable notifications for infrequent actions (theme/new plugin installations / role changes). 
• Enable logging for changes and login attempts. 
• Use a Web Application Firewall (WAF) or WordPress firewall to block suspicious requests. 
• Block the execution of PHP files in the uploads directory (wp-content/uploads/). 
• Keep WordPress, plugins, and themes up-to-date and remove unused plugins/themes. 
• Install plugins/themes only from trusted sources. 
• Disable WordPress built-in file editing if it's not being used. 
• Ensure good backups (not on the same web server). 
• Use monitoring (malware scan / file-integrity) so that unexplained changes are quickly detected. 
• If you suspect abuse, temporarily put the site into maintenance mode, preferably restore from a clean backup, and change all passwords. 

Many threat actors have learned to avoid modifying core CMS files or existing plugins, since these are often monitored by the CMS itself, integrity-checking mechanisms, or third-party security solutions. Instead, they favor persistence methods that blend into normal site administration or sit outside the areas a CMS administrator would typically review. This means some methods can look benign or may not be visible from within the CMS interface at all. Cleanup can therefore miss the real problem: compromised credentials that were never changed, a backdoor outside the CMS, or the mechanism that keeps reintroducing the injection. This becomes even harder when the CMS and hosting platform are managed by different teams with different access. It also limits what an external observer can safely recommend. Even if sandboxing or observed behavior confirms that the site is compromised, the full access path and remaining persistence may not be visible from the outside. 

Conclusion 

Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into TA569 activity.  

Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world.