RCMP Cyber Alert: Operation Endgame Disrupts Global SocGholish Malware

Section 1: The Alert

In a major international cybercrime crackdown, the Royal Canadian Mounted Police (RCMP) has worked alongside law enforcement partners from the Netherlands, United States, and Germany to significantly disrupt a Russian-linked cybercriminal network known as SocGholish. This coordinated action, conducted over recent days as part of Operation Endgame, targeted malicious infrastructure that was compromising computers and websites around the world, including in Canada.

SocGholish is a malware framework associated with the Russian cyber group often referred to as Evil Corp. It spread by disguising itself as legitimate software updates on compromised websites, especially those running WordPress. The RCMP’s Federal Policing Pacific Region Cybercrime Investigation Team – Vancouver (CIT‑V) led Canada’s contribution, helping to disinfect thousands of computers globally and secure many affected websites that had been used to attack individuals, organizations, and critical sectors in Canada.

Section 2: Official Details

The RCMP served as Canada’s national representative in Operation Endgame, with the CIT‑V unit in Vancouver providing technical and investigative leadership. Dedicated coders, analysts, investigators, and project managers from CIT‑V worked closely with Dutch Police and other partners to identify and disable the SocGholish infrastructure.

Investigators determined that SocGholish:

• Was linked to the Russian cybercriminal organization commonly known as Evil Corp.
• Tricked users by posing as legitimate computer or browser updates, prompting victims to download malicious files.
• Exploited thousands of WordPress websites worldwide to silently deliver malware to site visitors.
• Was used to gain unauthorized access to victims’ systems and data across sectors, including critical infrastructure, education, and government in Canada.

With technical data from the Dutch National Police, CIT‑V developed and refined a targeted disruption method to directly interfere with SocGholish operations. This technique was used during Operation Endgame to:

• Carry out a mass disinfection of 2,488 computers around the world that were infected with SocGholish malware.
• Take action on 14,971 compromised websites that were being used to spread the malware.
• Implement measures designed to prevent these sites from being easily re-infected with SocGholish in the future.

The RCMP confirms that all identified Canadian entities affected by SocGholish have been notified through Operation Endgame. This large-scale effort is part of an ongoing joint operation bringing together law enforcement agencies from Denmark, Netherlands, Germany, France, United Kingdom, Belgium, Australia, United States, and Canada, with support from Europol and Eurojust.

Important Advisory for WordPress Site Owners

As part of this alert, all WordPress administrators and owners in Canada are strongly urged to take immediate security steps. Even if you have not been contacted directly, these measures are essential to reducing the risk of compromise by SocGholish or similar malware:

• Change all login credentials (administrator, editor, hosting, and database passwords).
• Enable multi‑factor authentication (MFA) for all administrative accounts.
• Remove any unknown or suspicious WordPress user accounts that you did not create.
• Keep WordPress core, themes, and plugins fully up‑to‑date and apply security patches promptly.

Staying informed about broader crime and safety trends is critical for all Canadians, from major cities to smaller communities. Resources like the CrimeCanada.ca national crime and safety portal and localized tools such as the Ocean Man 69C, Saskatchewan crime and safety statistics page can help residents understand evolving risks, including cyber threats, in their area.

Section 3: CrimeCanada.ca Safety Perspective

From the perspective of CrimeCanada.ca, Operation Endgame underscores that cybercrime is a nationwide public safety issue, not just an information‑technology problem. Malware like SocGholish can be a gateway to ransomware, data theft, and long‑term control over computers used in homes, schools, businesses, and critical infrastructure. These intrusions can disrupt essential services, expose personal information, and erode trust in online platforms Canadians rely on every day.

To reduce risk, Canadians should be cautious about unexpected software update prompts, especially those that appear within a web page rather than from your operating system or trusted vendor. Only download updates from official sources, maintain reputable antivirus and endpoint protection, and back up important data regularly. Organizations should enforce strong passwords, MFA, and timely patching of all web platforms and plugins. If you suspect your systems or website have been compromised, contact your local police or RCMP detachment, and immediately consult qualified cybersecurity professionals. Collective vigilance and rapid reporting of suspicious activity are key to building a safer digital environment across Canada.

Official Source & Community Safety

This safety alert is based on an official release from the Royal Canadian Mounted Police (RCMP). CrimeCanada.ca aggregates and analyzes this data to keep the canada community informed, aware, and safe. We are an independent safety data aggregator and not the original creators of the underlying incident report.

Read the full official release here: RCMP Official Statement.