SocGholish Malware Takedown: Detection and Remediation Guide for WordPress Defenders

Introduction

International law enforcement agencies have executed a significant operation against the SocGholish malware infrastructure, cleaning nearly 15,000 compromised WordPress websites and dismantling more than 100 servers linked to Evil Corp's compromised device network. This coordinated takedown disrupted a primary initial access vector used by one of Russia's most prolific cybercrime syndicates.

While this operation is a win for defenders, the threat remains active. Evil Corp has a history of rapidly rebuilding infrastructure, and the underlying vulnerabilities that enabled these compromises—unpatched WordPress installations, weak credentials, and vulnerable plugins—persist across the internet. SOC teams and security engineers must treat this as a wake-up call: the infection vector is still open, and new sites are being compromised right now.

SocGholish (also tracked as FakeUpdates) is not just a nuisance—it's a sophisticated JavaScript-based malware dropper that serves as the entry point for ransomware operations, banking trojans, and data exfiltration campaigns. When users visit compromised WordPress sites, they're presented with fraudulent browser update prompts that deliver malicious payloads. Your WordPress infrastructure is either already part of the problem or potentially the next target.

Technical Analysis

Affected Products and Platforms

WordPress Content Management System (all versions running on public-facing servers)
Web Servers: Apache, Nginx, LiteSpeed (hosting compromised WordPress installations)
Operating Systems: Primarily Linux-based hosting environments

How the Attack Works

SocGholish operates through a well-orchestrated attack chain that Evil Corp has refined over years of operations:

Initial Compromise: WordPress sites are compromised through:
- Unpatched plugin vulnerabilities
- Weak or reused administrative credentials
- Supply-chain compromises of legitimate themes/plugins
- Misconfigured file permissions allowing web shell upload
JavaScript Injection: Malicious JavaScript is injected into legitimate site files, typically:
- wp-includes/js/jquery/jquery.js
- Theme footer or header files
- Index files in the web root
- Obfuscated code within active plugin files
Fake Update Delivery: When victims visit the compromised site, the injected JavaScript:
- Detects the visitor's browser type and version
- Dynamically generates a convincing fake browser update prompt
- Uses domain typosquatting or legitimate-looking domains to host the payload
Payload Execution: Downloaded "update" files are actually:
- Windows: PowerShell scripts or DLLs that download secondary payloads (often ransomware like LockBit)
- Information stealers (e.g., Vidar, RedLine)
- Remote access trojans establishing persistence for Evil Corp operators

Exploitation Status

Active Exploitation: Confirmed ongoing campaigns targeting WordPress installations globally
Law Enforcement Action: Approximately 15,000 sites cleaned and 100+ C2 servers seized as of 2026
Persistence: Evil Corp continues to register new infrastructure and compromise fresh WordPress instances
CISA KEV: SocGholish campaigns are tracked within active threat catalogs

Detection & Response

SIGMA Rules

YAML

---
title: SocGholish JavaScript Injection in WordPress Core Files
id: 8c4d2e1f-7a9b-4c3d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects suspicious JavaScript injection patterns commonly associated with SocGholish in WordPress core JavaScript files. The malware typically injects base64-encoded or heavily obfuscated scripts into legitimate jQuery files.
references:
  - https://attack.mitre.org/techniques/T1190/
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.initial_access
  - attack.t1190
  - attack.webshell
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/wp-includes/js/jquery/'
      - '/wp-content/themes/'
      - '/wp-content/plugins/'
    TargetFilename|endswith:
      - '.js'
      - '.php'
  suspicious_content:
    TargetFilename|contains:
      - 'jquery.js'
      - 'functions.php'
      - 'footer.php'
      - 'header.php'
  javascript_injection:
    CommandLine|contains:
      - 'eval('
      - 'atob('
      - 'fromCharCode'
      - 'document.write'
      - '<script'
  condition: selection and suspicious_content and javascript_injection
falsepositives:
  - Legitimate plugin updates
  - Theme customization activities
level: high
---
title: SocGholish Fake Browser Update Pattern in Web Access Logs
id: 9d5e3f2a-8b0c-5d4e-0f1a-2b3c4d5e6f7a
status: experimental
description: Detects web access patterns indicative of SocGholish fake browser update delivery. Malicious JavaScript often redirects users to domains mimicking legitimate browser update pages with specific URI patterns.
references:
  - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1204
  - attack.initial_access
logsource:
  category: webserver
  product: apache
detection:
  selection_uri:
    cs-uri-query|contains:
      - '/update/'
      - '/download/'
      - 'chrome-update'
      - 'firefox-update'
      - 'edge-update'
      - 'browser-update'
  selection_ext:
    cs-uri-query|endswith:
      - '.exe'
      - '.msi'
      - '.dmg'
      - '.pkg'
  selection_ua:
    cs-user-agent|contains:
      - 'Windows NT'
      - 'Macintosh'
  selection_referer:
    cs-referer|contains:
      - 'wordpress'
      - 'wp-content'
  condition: selection_uri and selection_ext and selection_ua
falsepositives:
  - Legitimate software download repositories
  - Internal update servers
level: medium
---
title: Suspicious WordPress File Modifications Outside Scheduled Updates
id: 0e6f4a3b-9c1d-6e5f-1a2b-3c4d5e6f7a8b
status: experimental
description: Detects modifications to WordPress core, theme, or plugin files that occur outside typical maintenance windows. SocGholish often injects malicious code into these files to achieve persistence.
references:
  - https://attack.mitre.org/techniques/T1565/
  - https://attack.mitre.org/techniques/T1505/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1565
  - attack.defense_evasion
logsource:
  category: file_change
  product: linux
detection:
  selection_paths:
    TargetFilename|contains:
      - '/wp-includes/'
      - '/wp-admin/'
      - '/wp-content/themes/'
      - '/wp-content/plugins/'
  selection_files:
    TargetFilename|endswith:
      - '.php'
      - '.js'
  filter_legitimate:
    ProcessName|contains:
      - 'wp-cli'
      - 'apt'
      - 'yum'
      - 'dnf'
  filter_maintenance:
    Hour|between:
      - 2
      - 6
  condition: selection_paths and selection_files and not filter_legitimate and not filter_maintenance
falsepositives:
  - Legitimate plugin/theme updates during business hours
  - Developer deployments
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for SocGholish indicators in web server logs ingested via Syslog/CEF
let SuspiciousUpdatePatterns = dynamic(["chrome-update", "firefox-update", "edge-update", "browser-update", "/update/download", ".exe?browser", "fake-update"]);
let SuspiciousExtensions = dynamic([".exe", ".msi", ".dmg", ".pkg", ".js?download"]);
// Query CommonSecurityLog for web proxy/firewall logs
CommonSecurityLog
| where FileProtocol in ("HTTP", "HTTPS")
| where RequestURL has_any (SuspiciousUpdatePatterns) or (RequestURL has_any (SuspiciousExtensions) and RequestURL has "browser")
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Cisco", "Check Point", "SonicWall")
| extend Referrer = extract(@"Referer:\s*([^\n]+)", 1, AdditionalExtensions)
| where Referrer has "wordpress" or Referrer has "wp-content"
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Referrer, UserAgent, RequestMethod, SentBytes, ReceivedBytes
| order by TimeGenerated desc


// Hunt for WordPress file modification anomalies on Linux endpoints (via OMS agent)
let WordPressPaths = dynamic(["/var/www/html/wp-includes", "/var/www/html/wp-content", "/var/www/html/wp-admin", "/home/*/public_html/wp-content"]);
let SuspiciousContent = dynamic(["eval(", "base64_decode", "atob(", "document.write(\"<script", "createXMLHttpRequest", "WebSocket", "evilcorp"]);
DeviceFileEvents
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WordPressPaths)
| where FileName has_any (".php", ".js")
| extend FilePath = strcat(FolderPath, "\", FileName)
| where InitiatingProcessAccountName !in ("root", "www-data", "nginx", "apache") or SHA256 != "0000000000000000000000000000000000000000000000000000000000000000"
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FilePath, SHA256, ActionType
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for SocGholish JavaScript injection in WordPress files
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/var/www/**/*.{php,js}")
WHERE FullPath =~ "wp-(includes|content|admin)"
  AND Mtime > now() - 30D

-- Scan file content for SocGholish injection patterns
LET SuspiciousPatterns = '''
SELECT FullPath,
       regex_replace(source=Line, re=".*", replace="$1") AS Line,
       regex_replace(source=Line, re="(eval\(|atob\(|base64_decode|fromCharCode|document\.write.*script|evilcorp|fake.*update)", replace="MATCH: $0") AS MatchedPattern
FROM read_file(filenames=FullPath, chunk_size=1048576)
WHERE Line =~ "(eval\(|atob\(|base64_decode|fromCharCode|document\.write.*script|evilcorp|fake.*update)"
'''

-- Execute the scan on identified files
SELECT FullPath, Mtime, Size, SuspiciousPatterns
FROM glob(globs="/var/www/**/wp-includes/js/jquery/*.js")
WHERE Mtime > now() - 30D


-- Hunt for recently modified WordPress files indicative of compromise
SELECT FullPath, Mtime, Atime, Ctime, Size, Mode,
       timestamp(epoch=Mtime.sec).String AS ModifiedTime
FROM glob(globs="/var/www/**/*.{php,js,htaccess}")
WHERE FullPath =~ "wp-(includes|content|admin)"
  AND Mtime > now() - 7D
ORDER BY Mtime DESC

-- Check for WordPress core file integrity violations
SELECT FullPath, Size,
       hash(path=FullPath, accessor="sha256") AS CurrentHash,
       "INTEGRITY_CHECK" AS CheckType
FROM glob(globs="/var/www/**/wp-includes/*.php")
WHERE Size < 1048576
  AND Mtime > now() - 14D

Remediation Script (Bash)

Bash / Shell

#!/bin/bash
# SocGholish Remediation and WordPress Hardening Script
# Version: 1.0 | Security Arsenal | 2026

set -euo pipefail

LOG_FILE="/var/log/socgholish_remediation_$(date +%Y%m%d_%H%M%S).log"
BACKUP_DIR="/tmp/wp_remediation_backup_$(date +%Y%m%d_%H%M%S)"
WEB_ROOT="${1:-/var/www/html}"

# Logging function
log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}

# Create backup directory
mkdir -p "$BACKUP_DIR"
log "Created backup directory: $BACKUP_DIR"

# Function to scan for SocGholish patterns
scan_socgholish() {
    log "Scanning for SocGholish injection patterns..."
    
    # Pattern 1: Base64 encoded JavaScript injection
    find "$WEB_ROOT" -type f \( -name "*.php" -o -name "*.js" \) -exec grep -l "eval(.*base64_decode" {} \; 2>/dev/null | tee -a "$LOG_FILE"
    
    # Pattern 2: Fake update redirect scripts
    find "$WEB_ROOT" -type f \( -name "*.php" -o -name "*.js" \) -exec grep -l "browser.*update\|chrome.*update\|firefox.*update" {} \; 2>/dev/null | tee -a "$LOG_FILE"
    
    # Pattern 3: Obfuscated JavaScript common in SocGholish
    find "$WEB_ROOT" -type f -name "*.js" -exec grep -l "atob(.*fromCharCode" {} \; 2>/dev/null | tee -a "$LOG_FILE"
    
    # Pattern 4: Suspicious iframe injections
    find "$WEB_ROOT" -type f -name "*.php" -exec grep -l "<iframe.*src=.*http" {} \; 2>/dev/null | tee -a "$LOG_FILE"
}

# Function to backup compromised files
backup_files() {
    log "Backing up suspicious files before remediation..."
    
    while IFS= read -r file; do
        if [[ -f "$file" ]]; then
            mkdir -p "$BACKUP_DIR/$(dirname "$file")"
            cp -p "$file" "$BACKUP_DIR/$file"
            log "Backed up: $file"
        fi
    done < <(find "$WEB_ROOT" -type f \( -name "*.php" -o -name "*.js" \) -exec grep -l "eval(.*base64_decode\|browser.*update\|atob(.*fromCharCode\|<iframe.*src=.*http" {} \; 2>/dev/null)
}

# Function to remove malicious injections
remove_injections() {
    log "Removing SocGholish injections..."
    
    # Remove from jQuery files (common target)
    find "$WEB_ROOT/wp-includes/js/jquery" -name "*.js" -type f -exec sed -i '/eval(.*base64_decode/d' {} \; 2>/dev/null
    find "$WEB_ROOT/wp-includes/js/jquery" -name "*.js" -type f -exec sed -i '/atob(.*fromCharCode/d' {} \; 2>/dev/null
    
    # Clean theme footer/header files
    find "$WEB_ROOT/wp-content/themes" -name "footer.php" -o -name "header.php" | while read file; do
        sed -i '/<script.*document\.write.*browser.*update/d' "$file" 2>/dev/null
        sed -i '/eval(.*base64.*decode/d' "$file" 2>/dev/null
    done
    
    log "Injection cleanup completed"
}

# Function to check WordPress core integrity
check_core_integrity() {
    log "Checking WordPress core integrity..."
    
    if [[ -f "$WEB_ROOT/wp-includes/version.php" ]]; then
        WP_VERSION=$(grep "\$wp_version" "$WEB_ROOT/wp-includes/version.php" | awk -F"'" '{print $2}')
        log "WordPress version detected: $WP_VERSION"
        
        # Use WP-CLI to verify core files if available
        if command -v wp &> /dev/null; then
            cd "$WEB_ROOT"
            wp core verify-checksums 2>&1 | tee -a "$LOG_FILE" || true
        fi
    fi
}

# Function to harden WordPress permissions
harden_permissions() {
    log "Hardening WordPress file permissions..."
    
    # Set proper ownership (adjust user:group as needed)
    chown -R www-data:www-data "$WEB_ROOT" 2>/dev/null || chown -R apache:apache "$WEB_ROOT"
    
    # Set restrictive permissions
    find "$WEB_ROOT" -type d -exec chmod 755 {} \;
    find "$WEB_ROOT" -type f -exec chmod 644 {} \;
    
    # Protect wp-config.php
    chmod 600 "$WEB_ROOT/wp-config.php" 2>/dev/null || true
    
    # Prevent .htaccess modifications
    chmod 444 "$WEB_ROOT/.htaccess" 2>/dev/null || true
    
    # Disable PHP execution in uploads directory
    echo "<Files *.php>" > "$WEB_ROOT/wp-content/uploads/.htaccess"
    echo "Deny from all" >> "$WEB_ROOT/wp-content/uploads/.htaccess"
    echo "</Files>" >> "$WEB_ROOT/wp-content/uploads/.htaccess"
    chmod 444 "$WEB_ROOT/wp-content/uploads/.htaccess"
    
    log "Permission hardening completed"
}

# Function to scan for webshells
scan_webshells() {
    log "Scanning for potential webshells..."
    
    # Common webshell patterns
    WEBSHELL_PATTERNS=(
        "system(.*\\$_"
        "eval(.*\\$_"
        "assert(.*\\$_"
        "preg_replace.*\\/e"
        "base64_decode"
        "gzinflate"
        "str_rot13"
        "create_function"
        "passthru"
        "shell_exec"
        "exec("
        "\\$_POST["
        "\\$_GET["
        "\\$_REQUEST["
    )
    
    for pattern in "${WEBSHELL_PATTERNS[@]}"; do
        find "$WEB_ROOT/wp-content" -type f -name "*.php" -exec grep -l "$pattern" {} \; 2>/dev/null >> "$LOG_FILE"
    done
    
    log "Webshell scan completed"
}

# Function to update WordPress core and plugins
update_wordpress() {
    log "Updating WordPress core and plugins..."
    
    if command -v wp &> /dev/null; then
        cd "$WEB_ROOT"
        wp core update 2>&1 | tee -a "$LOG_FILE" || true
        wp plugin update --all 2>&1 | tee -a "$LOG_FILE" || true
        wp theme update --all 2>&1 | tee -a "$LOG_FILE" || true
        log "WordPress update process completed"
    else
        log "WP-CLI not found. Manual update required."
        log "Download latest WordPress: https://wordpress.org/download/"
    fi
}

# Main execution
log "=== Starting SocGholish Remediation ==="
log "Target: $WEB_ROOT"

# Verify web root exists
if [[ ! -d "$WEB_ROOT" ]]; then
    log "ERROR: Web root not found: $WEB_ROOT"
    exit 1
fi

# Execute remediation steps
scan_socgholish
backup_files
remove_injections
check_core_integrity
scan_webshells
harden_permissions
update_wordpress

log "=== Remediation completed ==="
log "Backup location: $BACKUP_DIR"
log "Log file: $LOG_FILE"
log ""
log "RECOMMENDED NEXT STEPS:"
log "1. Review all files in backup directory for verification"
log "2. Force password reset for all WordPress user accounts"
log "3. Enable 2FA for all administrative users"
log "4. Install and configure a security plugin (Wordfence, iThemes Security)"
log "5. Configure WAF rules to block known Evil Corp infrastructure"
log "6. Schedule regular integrity monitoring"

exit 0

Remediation

Immediate Actions

Isolate Compromised Systems
- Disconnect affected WordPress servers from the internet immediately
- Preserve disk images for forensic analysis if sensitive data may have been exposed
- Rotate all credentials associated with the WordPress installation (database, FTP, SSH, admin accounts)
Verify WordPress Integrity
- Download fresh WordPress core files from wordpress.org and replace wp-includes/ and wp-admin/ directories
- Use wp core verify-checksums (WP-CLI) to identify modified files
- Review all installed themes and plugins for unauthorized modifications
Remove Malicious Injections
- Search for and remove SocGholish JavaScript patterns:
  - eval(base64_decode(...))
  - atob(fromCharCode(...))
  - <script>document.write('<iframe...')</script>
  - Fake browser update redirect code
- Common infection locations:
  - /wp-includes/js/jquery/jquery.js
  - /wp-content/themes/[active-theme]/footer.php
  - /wp-content/themes/[active-theme]/header.php
  - Recently modified plugin PHP files

Long-Term Hardening

Patch Management
- Update WordPress core to the latest version immediately
- Update all plugins and themes—remove any abandoned or unnecessary plugins
- Establish a weekly patch cadence for critical components
- Subscribe to WordPress security advisories: https://wordpress.org/news/category/security/
Access Control
- Enforce strong password policies (minimum 16 characters, complexity requirements)
- Implement Multi-Factor Authentication for all admin accounts (use Wordfence, Google Authenticator, or similar)
- Limit login attempts using plugins like Limit Login Attempts Reloaded
- Change the default wp-login.php URL using a security plugin
Web Application Firewall
- Deploy a WAF with rules specifically targeting SocGholish patterns:
  - Block requests containing eval( or base64_decode in URL parameters
  - Block requests referencing fake browser update URLs
  - Implement GeoIP blocking for regions not relevant to your user base
- Recommended WAF solutions: Cloudflare, AWS WAF, ModSecurity with OWASP Core Rule Set
File Integrity Monitoring
- Implement FIM for WordPress directories:
  - Monitor wp-content/ for unauthorized file creations/modifications
  - Alert on changes to core WordPress files outside of maintenance windows
  - Tools: AIDE, OSSEC, Tripwire, or commercial EDR solutions
Security Plugins Configuration
- Install and configure Wordfence or iThemes Security with:
  - Real-time traffic scanning
  - Malware signature updates
  - 2FA enforcement
  - Hide login URL feature
  - File change detection

Verification Steps

After remediation, perform the following validation:

Scan all WordPress files using multiple security scanners
Check Google Search Console for security warnings
Use VirusTotal to scan the domain for blacklisting status
Review access logs for signs of continued malicious activity
Test the site from a clean browser with no extensions to confirm fake update prompts are eliminated

Official Resources

WordPress Security Releases: https://wordpress.org/news/category/security/
CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Evil Corp Advisory Updates: Monitor US-CERT and international law enforcement advisories

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub