HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Police Clean Nearly 15,000 SocGholish‑Infected WordPress Sites Tied to Evil Corp

International law‑enforcement agencies removed SocGholish malware from almost 15 k WordPress sites, highlighting the risk of unpatched web platforms. For SOC 2 teams this underscores the need for continuous control mapping and evidence of patch‑management, account hygiene, and MFA.

LiveThreat™ Intelligence · 📅 June 18, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Police Clean Nearly 15,000 SocGholish‑Infected WordPress Sites Tied to Evil Corp

What Happened — International law‑enforcement agencies (Netherlands, Canada, United States, Germany) removed SocGholish malware from 14,971 WordPress sites and seized 106 servers linked to the Evil Corp botnet as part of Europol‑backed Operation Endgame.

Why It Matters for Compliance & Audit Readiness

  • The infection chain exploits outdated WordPress installations and weak admin credentials – a classic SOC 2 CC6 (Logical Access) and CC7 (System Operations) control gap.
  • Continuous control‑mapping and automated evidence collection let you prove that patch‑management, account‑provisioning, and MFA policies are enforced across all web assets.
  • A documented remediation trail (site clean‑up, credential rotation, MFA enablement) satisfies SOC 2 monitoring and incident‑response requirements.

Who Is Affected — SaaS providers, digital agencies, e‑commerce retailers, and any organization that hosts public‑facing WordPress sites.

Recommended Actions

  • Inventory every public‑facing WordPress installation and map it to your SOC 2 asset register.
  • Verify that core, theme, and plugin versions are up‑to‑date; enforce automatic updates.
  • Delete unknown WordPress accounts and enable multi‑factor authentication for all admin users.
  • Deploy a control‑mapping solution that continuously collects evidence of patch status and MFA enforcement for audit purposes. Source: BleepingComputer

Technical Notes — SocGholish is a JavaScript downloader that hijacks vulnerable WordPress sites, tricks visitors into installing fake browser updates, and then delivers payloads such as Dridex, Doppelpaymer, Empire, Koadic, Chtonic, or Azorult. The infection relies on outdated plugins, weak credentials, and the absence of MFA. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/law-enforcement-nukes-socgholish-malware-from-nearly-15-000-sites/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →