Operation Endgame Disrupts Major Global Cybercrime Infrastructure and Malware Networks
In a coordinated global effort known as Operation Endgame, law enforcement agencies from several countries have delivered a significant blow to a sophisticated cybercriminal network. The operation targeted the SocGholish malware framework, which is linked to the Russian group Evil Corp. This framework tricked users into downloading malicious files by masquerading as legitimate software updates.
Investigators discovered that SocGholish exploited thousands of WordPress sites to spread malware to visitors, aiming to gain unauthorized access to data and computer systems. The operation resulted in the takedown of 106 servers and domains, and the remediation of nearly 15,000 compromised websites. The Royal Canadian Mounted Police (RCMP) served as Canada's representative, with their Vancouver-based Cybercrime Investigation Team developing a disruption technique that enabled the mass disinfection of 2,488 computers worldwide.
Following the action against SocGholish, the operation expanded to target the StealC and Amadey malware networks. While developed by different criminal groups, these two tools often work together; Amadey provides the initial access to devices, while StealC is used to harvest sensitive information and passwords. Law enforcement and private sector partners, including Microsoft and Proofpoint, coordinated to cripple the distribution network for these threats.
This follow-up action led to the disruption of 142 domains and the freezing of more than 41 million euros in crypto assets. Europol reported that nearly 27 million stolen login credentials were tracked during the process. Data from early May 2026 indicated that Amadey and StealC had infected over 140,000 computers globally.
