惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
The Register - Security
The Register - Security
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
N
News and Events Feed by Topic
腾讯CDC
P
Proofpoint News Feed
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
爱范儿
爱范儿
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
D
Docker
Y
Y Combinator Blog
博客园 - 聂微东
G
Google Developers Blog
S
Security @ Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
CERT Recently Published Vulnerability Notes
I
Intezer
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Attack and Defense Labs
Attack and Defense Labs
V
Visual Studio Blog
博客园 - Franky
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 最新话题
C
Cybersecurity and Infrastructure Security Agency CISA

Security Affairs

Agent’s claims on WhatsApp access spark security concerns Meta accused of violating DSA by failing to safeguard minors Large-scale Roblox hacking operation shut down by Ukrainian authorities CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure Internet censorship index reveals Russia’s lead and widespread content blocking All supported cPanel versions hit by critical auth bug, now patched U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog ShinyHunters exploit Anodot incident to target Vimeo CVE-2026-3854 GitHub flaw enables remote code execution Signal Phishing Campaign Targets German Officials in Suspected Russian Operation Microsoft fixes Entra ID flaw enabling privilege escalation New Android spyware Morpheus linked to Italian surveillance firm NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links Medtronic discloses security incident after ShinyHunters claimed theft of 9M+ records Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software LINKEDIN BROWSERGATE Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting Fast16: Pre-Stuxnet malware that targeted precision engineering software Italy moves to extradite Chinese national to the U.S. over hacking charges U.S. utility giant Itron discloses a security breach Critical bug in CrowdStrike LogScale let attackers access files GopherWhisper: new China-linked APT targets Mongolia with Go-based malware SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 94 Trigona ransomware adopts custom tool to steal data and evade detection Security Affairs newsletter Round 574 by Pierluigi Paganini – INTERNATIONAL EDITION U.S. CISA adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844) CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network 12-year-old Pack2TheRoot bug lets Linux users gain root privileges Signal phishing campaign targets Germany’s Bundestag President Julia Klöckner China-linked threat actors use consumer device botnets to evade detection, warn UK and partners Luxury cosmetics giant Rituals discloses data breach impacting member personal details iOS Flaw Let Deleted Notifications Linger, Apple Issues Fix RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace U.S. CISA adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog Microsoft Graph API misused by new GoGra Linux malware for hidden communication DDoS wave continues as Mastodon hit after Bluesky incident Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters Venezuela energy sector targeted by highly destructive Lotus wiper Ransomware negotiator caught secretly assisting BlackCat extortion scheme North Korea’s Lazarus APT stole $290M from Kelp DAO The US NSA is using Anthropic’s Claude Mythos despite supply chain risk U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility France’s ANTS ID System website hit by cyberattack, possible data breach Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft CVE-2023-33538 under attack for a year, but exploitation still unsuccessful Third-party AI hack triggers Vercel breach, internal environments accessed AI Model Claude Opus turns bugs into exploits for just $2,283 Cyber attacks fuel surge in cargo theft across logistics industry SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93 Security Affairs newsletter Round 573 by Pierluigi Paganini – INTERNATIONAL EDITION Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access Kyrgyzstan-based crypto exchange Grinex shuts down after $13.7M cyber heist, blames Western Intelligence DraftKings hacker sentenced to prison, ordered to pay $1.4 Million Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered Inside ZionSiphon: politically driven malware aims at Israeli water systems U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog Cisco fixed four critical flaws in Identity Services and Webex Cookeville Regional Medical Center hospital data breach impacts 337,917 people AI platform n8n abused for stealthy phishing and malware delivery From clinics to government: UAC-0247 expands cyber campaign across Ukraine Sweden reports cyberattack attempt on heating plant amid rising energy threats CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog Mirax malware campaign hits 220K accounts, enables full remote control PHP Composer flaws enable remote command execution via Perforce VCS Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day Personal data of 1 million gym members compromised in Basic-Fit security incident US, UK and Canada disrupt $45M crypto theft in Operation Atlantic ShinyHunters claim the hack of Rockstar Games breach and started leaking data Attackers target unpatched ShowDoc servers via CVE-2025-0520 U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog Fake Claude AI installer abuses DLL sideloading to deploy PlugX Hackers access Booking.com user data, company secures systems iPhone forensics expose Signal messages after app removal in U.S. case Citizen Lab: Webloc tracked 500M devices for global law enforcement Iran-linked group Handala claims to have breached three major UAE organizations CPUID watering hole attack spreads STX RAT malware Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-34621 Hackers claim control over Venice San Marco anti-flood pumps SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 92 Security Affairs newsletter Round 572 by Pierluigi Paganini – INTERNATIONAL EDITION Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S. GlassWorm evolves with Zig dropper to infect multiple developer tools CVE-2026-39987: Marimo RCE exploited in hours after disclosure Ransomware attack on ChipSoft knocks EHR services offline across hospitals in the Netherlands and Belgium UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions EngageLab SDK flaw opens door to private data on 50M Android devices Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials Eurail data breach impacted 308,777 people Malicious PDF reveals active Adobe Reader zero-day in the wild Masjesu botnet targets IoT devices while evading high-profile networks The alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences Internet-Exposed ICS Devices Raise Alarm for Critical Sectors U.S. CISA adds a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog
14,971 WordPress Sites Cleaned in Global SocGholish Takedown
https://www.facebook.com/sec.affairs · 2026-06-19 · via Security Affairs

Operation EndGame disrupted SocGholish, taking down 106 servers and cleaning 14,971 WordPress sites used to spread fake-update malware.

On June 18, 2026, law enforcement agencies from the Netherlands, Canada, the United States, and Germany, coordinated through Europol, executed a joint action week against SocGholish, one of the most persistent and widely deployed malware distribution networks on the internet.

The Operation EndGame took down over 100 servers and domains and removed infections from 14,971 compromised WordPress websites. Proofpoint, which has tracked the group behind SocGholish since 2018, provided intelligence to support the law enforcement actions.

“In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week.” reads the press release.

“Worldwide, 106 servers and domains were taken down. 14.971 websites have been remediated. In addition, the following actions were carried out:

  • Cleaning infected WordPress sites and victim notification, urging previously infected WordPress owners to update their sites and change their login credentials.
  • Disabling the SocGholish botnet by taking over domain names and taking servers offline.
  • Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).”

SocGholish, also known as FakeUpdates, is operated by a threat group Proofpoint tracks as TA569. The technique is elegantly simple and devastatingly effective: compromise a legitimate website, inject malicious JavaScript, and when a visitor arrives and passes a set of filtering checks, overwrite the entire page with a convincing fake browser update prompt.

“TA569 is one of the most prominent cybercriminal threat groups in Proofpoint threat data, which our researchers have tracked since 2018.” reads Proofpoint’s report. “TA569’s SocGholish inject activity has been linked to major ransomware families and criminal syndicates.”

Those families include WastedLocker, LockBit, and RansomHub. TA569 acts as an initial access broker, and public reporting has linked it to Evil Corp, the Russian cybercriminal group whose members have been sanctioned multiple times by Western governments.

The scale of the problem before the takedown was substantial. In May 2026, ShadowServer found more than 1.44 million compromised WordPress websites available for use by SocGholish. Infoblox reported that approximately 55% of cloud customers had been exposed to SocGholish this year.

“The outcomes included:

  • 14,971 compromised legitimate WordPress sites infected with SocGholish malware remediatedreads the report by ShadowServer.
  • 106 servers and domains taken down worldwide, disrupting the SocGholish botnet”

TA569 compromised sites across virtually every sector: nonprofits, schools, hospitals, legal firms, real estate companies, and major media and retail portals visited by millions of users daily.

Getting into those sites is less spectacular than it sounds. TA569 and its partners gain access through password spraying, stolen or reused credentials, vulnerabilities in WordPress plugins and themes, and weaknesses in third-party dependencies.

“These attacks often target outdated components, but they are not limited to known vulnerabilities. Attackers may also exploit zero-days, abandoned plugins, custom templates, or third-party dependencies that are no longer maintained. In some cases, plugin or theme developers may not realize that underlying libraries or bundled components used by their products also need security updates.” continues Proofpoint. “This can leave sites exposed even when the CMS core appears to be current.”

Once inside, the operator establishes persistence through multiple mechanisms: added admin accounts, PHP backdoors placed outside the CMS directory structure, and fake plugins with benign-sounding names that hide themselves from the WordPress admin interface. Cleaning up visible malware without finding the persistence mechanism is a common mistake that results in reinfection within days.

The delivery chain has grown more sophisticated over time. In the current configuration, TA569 works with TA2726, which operates a malicious version of the Keitaro traffic distribution service (TDS). TA2726 injects highly obfuscated JavaScript into compromised sites via a fake WordPress plugin, which eventually loads the SocGholish code. Stage 1 of SocGholish then profiles the visitor: it checks for automated browsers, open developer tools, prior visits to the fake update page, and WordPress admin sessions. It also waits for the mouse to move at least ten times before proceeding. If the visitor passes all checks, the malware overwrites the entire page.

“Even though the download button might look basic, it’s actually advanced. Clicking it sends a ”postMessage” to a separate hidden iframe that was loaded from a “data:” URI. That iframe fetches a script from the TA569 C2 which contains the file “Google Launcher.js” (GhoLoader Stage 1, C2: “js-new[.]newtoyourgame[.]com”) as an embedded base64 blob, constructs it client-side via “URL.createObjectURL()”, and triggers the download.” continues the report. “This means the downloaded file originates from a “blob:” URL with no direct network download trace pointing to a malicious JavaScript file. Sandboxes that simply “.click()” the button without proper cross-frame message handling will never trigger the download at all.”

The downloaded file is GhoLoader Stage 1, a WSH JScript that communicates with its C2 and executes the response. Sandboxes that simply click the button without handling cross-frame messages won’t trigger the download at all.

Orange Cyber Defense’s CERT observed SocGholish delivering loaders, including GhoLoader and MintsLoader that led to GhostWeaver PowerShell backdoor, LockBit and RansomHub ransomware, and AsyncRAT and NetSupport RAT. The Dutch police noted that notifications were also sent to WordPress site owners whose compromised credentials were identified in the operation, urging them to change logins, enable MFA, delete suspect accounts, and update their software.

The operation will have a significant impact, but it won’t end the web inject problem. TA569 may be, as Proofpoint put it, the originator of the technique, but the web inject space has expanded well beyond a single actor.

“What went from being a technique only used by a handful of threat actors – popularized and innovated by TA569 – web injects have become a common technique used by numerous threat clusters beyond the TA569 ecosystem including ClearFake, ZPHP, and ErrTraffic.” concludes the report.

Proofpoint tracks nearly a dozen distinct threat clusters running web inject campaigns, and the technique has been rising consistently since 2023. TA2726, the TDS provider that funneled traffic for TA569, was not directly targeted in the operation and will continue operating. Its traffic currently also serves TA2727, which delivers different payloads to MacOS users, including FrigidStealer.

For WordPress administrators, the Dutch police and Proofpoint both published concrete remediation steps: enable MFA for all admin accounts, restrict wp-admin access by IP allowlist, remove unused plugins and themes, block PHP execution in the uploads directory, enable file integrity monitoring, and assume that if a site was previously infected, the credentials used to access it are compromised.

Cleaning only the injected code while leaving stale admin accounts and unchanged passwords is not remediation. It’s just delay.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Operation EndGame)