CRITICAL: SocGholish Compromised WordPress Sites Special Report

LAST UPDATED: 2026-06-18

DEFAULT SEVERITY LEVEL: CRITICAL

This Special Report contains information about compromised legitimate WordPress sites that are believed to have been used in the operation of the SocGholish malware framework. The data is being shared as an output of the continuing international Law Enforcement cyber crime disruption effort called Operation Endgame, which had a third season of action announced on November 13th 2025, that continued with further disruption on June 18th 2026. The Special Report dated 2026-06-18 contains data covering the period between 2023-05-17 and 2026-05-25.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across Special Reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.

Note that exact timestamps were not available for individual events, so the timestamp field is set to “2026-16-18 00:00:00”.

This Special Report has severity level CRITICAL set on all events.  Severity levels are described here.

Filename prefix: 2026-06-18-special. Note: these are accessible in the API using 2026-06-18 as the search date.

Fields

  • timestamp
    The timestamp has been set to "2026-06-18 00:00:00" to represent when this one-off data set was shared by Shadowserver
  • ip
    IP address associated with the domain name on 2026-06-18 (if available)
  • port
    TCP or UDP port identified
  • protocol
    Protocol associated with the malicious activity
  • asn
    Autonomous System Number of the affected device (if the domain resolved to an IP address on 2026-06-18)
  • geo
    Country of the affected device (if the domain resolved to an IP address on 2026-06-18)
  • region
    Region of the affected device (if the domain resolved to an IP address on 2026-06-18)
  • city
    City of the affected device (if the domain resolved to an IP address on 2026-06-18)
  • hostname
    The domain name of the compromised legitimate WordPress site used for the SocGholish infrastructure
  • naics
    North American Industry Classification System Code (if the domain resolved to an IP address on 2026-06-18)
  • sector
    Sector of the IP in question (if the domain resolved to an IP address on 2026-06-18)
  • tag
    Additional tags for more insight
  • infection
    Description of the malware/infection
  • public_source
    Source of the data
  • status
    Status of the affected domain, for example, "infected" infrastructure
  • detail
    URL to obtain more detail
  • account
    The Microsoft Windows user name of the infected users on the infected victim system (unused)
  • method
    Request method (unused)
  • severity
    Severity level
  • hostname_source
    Hostname source
  • first_seen_time
    The time the compromised legitimate WordPress site associated with SocGholish infrastructure was first seen
  • last_seen_time
    The time the compromised legitimate WordPress site associated with SocGholish infrastructure was last seen
  • potential_exposure_time
    The number of seconds between first and last seen times for this domain
  • url
    The compromised legitimate WordPress site URL associated with SocGholish infrastructure
  • login
    The login on the compromised legitimate WordPress site associated with SocGholish infrastructure
  • password
    The redacted password for the login on the compromised legitimate WordPress site associated with SocGholish infrastructure (only last two characters shown)
  • password_sha1
    The SHA1 hash of the password for the login on the compromised legitimate WordPress site associated with SocGholish infrastructure, redacted as the first half of the hash only (to allow local verification)
  • password_ntlm
    The NTLM hash of the password for the login on the compromised legitimate WordPress site associated with SocGholish infrastructure, redacted as the first half of the hash only (to allow local verification)

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","infection","public_source","status","detail","account","method","severity","hostname_source","first_seen_time","last_seen_time","potential_exposure_time","url","login","password","password_sha1","password_ntlm"
"2026-06-18 00:00:00",192.168.0.1,443,tcp,64512,ZZ,Region,City,node01.example.com,0,,,socgholish,operation-endgame,infected,https://operation-endgame.com/,,,critical,ptr,2025-03-22T15:21:22,2025-05-24T02:01:22,5395200,https://192.168.0.1/wp-login,User1,******JY,74fa175492e438a1,50814313dabb22f4
"2026-06-18 00:00:00",192.168.0.2,443,tcp,64512,ZZ,Region,City,node02.example.com,0,,,socgholish,operation-endgame,infected,https://operation-endgame.com/,,,critical,ptr,2024-07-09T20:41:21,2026-05-13T10:01:21,58108800,https://192.168.0.2/wp-login.php,User2,******6!,d17f8c32bc8f8156,d6b1588b8836f068
"2026-06-18 00:00:00",192.168.0.3,443,tcp,64512,ZZ,Region,City,node03.example.com,0,,,socgholish,operation-endgame,infected,https://operation-endgame.com/,,,critical,ptr,2023-11-22T14:41:21,2023-11-22T14:41:21,,https://192.168.0.3/wp-login.php,User3,******17,52ab5111494db34d,04c17c0817a5559f

Our 142 Report Types

« Back to Network Reporting