The Spamhaus Project

Operation Endgame - SocGholish

A coalition of international law enforcement agencies formally announced its latest Operation Endgame campaign against criminal infrastructure used to distribute malware, on Wednesday, June 18th 2026. The latest operation is disrupting SocGholish, a botnet that hijacks WordPress sites to distribute malware and provide initial access to victim systems. On June 24th, Europol's expanded the campaign's scope, targeting the Amadey and StealC malware networks.

Compromised WordPress administrator credentials have been shared with Spamhaus, who will support with remediation.

Data

Use the access key that Spamhaus sent you by email to access the list of compromised WordPress administrator credentials below.
CSVJSON

What is Operation Endgame?

Operation Endgame is a coordinated international law enforcement action targeting key cybercrime botnets. Launched in May 2024, it became the largest operation ever against botnets involved with ransomware, resulting in multiple detentions and interrogations, server takedowns, and the disruption of major malware droppers including IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee. Subsequent phases expanded the operation's scope: Endgame 2.0 in May 2025 targeted initial access malware families, including Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie; while Endgame 3.0 in November 2025 targeted the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet.

The latest campaign, announced on Wednesday, June 18th 2026, targets SocGholish, a botnet linked to Evil Corp that hijacks WordPress sites to distribute malware and provide initial access to victim systems. The action led to the take down of 106 servers and domains, and remediated nearly 15,000 compromised websites. A further announcement from Europol on June 24th, expanded the campaign's scope, to target the Amadey and StealC malware networks.

A crucial aspect of operating cybercrime infrastructure, such as these botnets, relies on the use of stolen credentials. Law enforcement has shared data relating to compromised WordPress administrator credentials with Spamhaus, who will be helping with remediation.

How were these sites involved?

Threat actors obtain credentials by using remote access tools (RATs) and infostealers, leveraging infected machines to spread malware further or gain initial access to targeted networks and organizations. The data that will be provided by Spamhaus reflects WordPress sites compromised by SocGholish, whose administrator credentials were identified during the Operation Endgame investigation.

Since this information has been recovered from multiple components of criminal infrastructure, we are unable to individually verify every entry. Some accounts may be outdated or already secured. However, given the potential threat, we believe sharing the dataset remains valuable.

Please note: that the data we share covers roughly the last 6 months (from January 2026 until June 2026), the current situation may be different.

What should be done?

If you receive an access key from Spamhaus via email, update your WordPress login credentials, enable multi-factor authentication, remove any unrecognised WordPress accounts, and ensure your WordPress installation is fully up to date. Your company should get in contact with any related customers to support.

What should we as the service provider tell our customers?

Here is a handy template you will be able to use:

Dear Administrator,

Spamhaus,who is working in conjunction with international law enforcement,has notified us regarding WordPress websites compromised by SocGholish malware. This malicious software was being used by cybercriminals to steal administrator login credentials for WordPress sites.

We ask that you update your WordPress login credentials, enable multi-factor authentication, remove any unrecognised WordPress accounts, and ensure your WordPress installation is fully up to date.

The list of compromised WordPress sites is as follows:

192.0.2.1,2026-01-01T01:01:00Z,2026-06-01T01:01:00Z,https://example.com/wp-login.php,username,******rd
 
......

We greatly appreciate any action you take in securing these sites and helping to ensure that that they are not further abused by miscreants to do any harm to other users on the internet.

Regards,
Example Trust and Safety Department

What do the various fields in the data mean?

Both the JSON and the CSV formats contain the same fields. Here is a CSV example:

Ip,'first_seen,'last_seen, url, login, password
192.0.2.1,2026-01-01T01:01:00Z,2026-06-01T01:01:00Z,https://example.com/wp-login.php,username,******rd

ip: IP Address where the affected wordpress installation resides.

First seen: Time when attackers first captured the credentials

Last seen: Time when attackers last captured the credentials

URL: URL of the wordpress administrator login page

Username: Account name

Password: Redacted password

A note on timing: this is information as-is from the malware infrastructure. Administrator passwords must be reset. We recommend running malware-removal tools and verifying the integrity of the wordpress installation on these machines. If the same password has been used for other services, reset passwords there too.

Where can I find publications about Endgame and the takedown?

Official publications: Operation Endgame website

Politie: https://www.politie.nl/en/news/2026/juni/18/11-international-law-enforcement-initiate-hunt-on-malware-group-socgholish.html

Europol: https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks

You contacted us at the incorrect/outdated address; can this be updated?

Yes! Please tell us what addresses we should use instead by emailing: remediation-team@spamhaus.org.

I have a question that is not answered here

You can get in touch with the team via our contact form.

Home
Home
...
Home