WP-SHELLSTORM: Cybercrime Crew's Open Server Exposes 1.4M Website Targets
A cybercrime group, dubbed **WP-SHELLSTORM**, inadvertently exposed its entire operation for three weeks by leaving a server unprotected. This critical lapse revealed extensive hacking tools, activity logs, and a hit list of over 1.4 million websites, predominantly **WordPress** and **Joomla** installations. The incident offers a rare, detailed look into the inner workings of a mass web-shell access brokerage.

A cybercrime operation, now tracked as **WP-SHELLSTORM**, has been thoroughly unmasked after leaving one of its command-and-control servers wide open on the internet for nearly a month. This significant operational security blunder exposed the group's full toolkit, target lists, and internal logs, detailing their methods for compromising and reselling access to websites.
**WP-SHELLSTORM** operates as a webshell access brokerage, systematically breaching websites, implanting hidden backdoors (webshells), and then packaging this illicit access for resale on underground markets. The primary targets were **WordPress** and **Joomla** sites running outdated plugins.
## A Forgotten Server Reveals All
Two independent threat intelligence teams, **SOCRadar** and **Ctrl-Alt-Intel**, discovered and analyzed the exposed server. **SOCRadar**'s team spotted the unsecured directory on June 11, 2026, on a US-based rented server (137.175.93[.]126), which lacked any password protection. The directory contained approximately 800MB across 434 files, including webshells, exploit scripts, scan results, command history, and command-and-control configurations.
**Ctrl-Alt-Intel** had previously identified the same directory via **Hunt.io**'s open-directory platform, publishing their findings on June 22, weeks before **SOCRadar**'s July 9 writeup. The exposure stemmed from a basic oversight: the operator initiated a simple **Python** web server to transfer files and then neglected to shut it down for 22 days.
## Exploiting Known Vulnerabilities at Scale
The group leveraged publicly known vulnerabilities in website plugins, primarily within **WordPress**, to develop automated scanners. These scanners then targeted vast lists of potential victims, sourced from **FOFA**, a Chinese search engine for internet-connected systems similar to **Shodan**.
When a vulnerable version of a site was identified, the exploit would upload a webshell β a small script enabling the attacker to execute commands remotely, access files, steal credentials, and move laterally within the network.
Their toolkit included exploits for 27 known flaws, though a select few were responsible for the majority of compromises. The most effective was a bug in the **Breeze** caching plugin (**CVE-2026-3844**), which the crew targeted against over 45,000 sites, successfully backdooring more than 17,000 of them.

It's important to note that the **Breeze** vulnerability only applies when a non-default "Host Files Locally β Gravatars" setting is enabled, limiting its broader impact.
## The Numbers: Targets vs. Compromises
The headline figure of 1.4 million domains refers to the total number of websites on the group's target lists, encompassing **WordPress**, **Joomla**, and other platforms. The actual number of compromised sites was significantly lower.
**Ctrl-Alt-Intel**'s deduplicated count identified 25,195 sites with confirmed or validated compromise evidence. In contrast, **SOCRadar**, focusing on active webshells, estimated over 5,700 live compromises. A **Joomla** bug, for instance, was fired at more than 560,000 targets but only successfully exploited 77 of them.
This distinction highlights that being on a scanner's target list does not equate to being compromised.
## Tooling and a Prior Campaign
The primary backdoor, named `down.php`, was heavily obfuscated with four layers and appears to be derived from **BestShell**, an open-source Chinese webshell. Once active, it provided capabilities for file management, command execution, reverse shells, network scanning, and security software detection.
For their own remote access, the group utilized a **SNOWLIGHT** dropper to install **VShell**, a stealthy backdoor that mimics the `[kworker/0:2]` process name to blend in with legitimate kernel threads.
These tools have a history: in April 2025, **Sysdig** linked the **SNOWLIGHT**-to-**VShell** chain to the suspected Chinese state-sponsored group **UNC5174**. However, **VShell** is also a common tool in Chinese-speaking criminal circles, so its presence alone isn't definitive proof of state-sponsored activity.
Intriguingly, the server also contained evidence of an earlier, distinct campaign. Before the high-volume **WordPress** spree, the same crew conducted a quieter operation in early May 2026, targeting corporate **Java** systems. This earlier campaign exfiltrated 613 configuration files from 11 systems across nine companies in sectors like fintech, e-commerce, logistics, gaming, and electronics. The haul included cloud login keys for **AWS**, **Alibaba Cloud**, **Oracle**, **Tencent**, and **DigitalOcean**, along with database passwords and **Alipay** RSA private keys. This was achieved by exploiting an old bug in **Nacos**, a configuration server (**CVE-2021-29441**), which allowed authentication bypass by faking a web header.
**SOCRadar** interprets this as a strategic sequence: first, acquire high-value corporate credentials, then pivot to higher-volume backdoor operations, potentially as a funding round before scaling up.
## Sloppy Tradecraft
Both research teams assess with medium-to-high confidence that the operators are Chinese or Chinese-speaking, citing fluent Simplified Chinese in code and command history, reliance on **FOFA** (which requires a Chinese phone number for registration), and the use of **Godzilla** and **VShell** tools prevalent in Chinese-speaking forums.
**SOCRadar** further suggests a financially motivated rather than state-directed group. Despite their capable toolchain, the crew's operational security was notably lax. They left the server unsecured, exposed a **FOFA** configuration file traceable by law enforcement, and left an unedited command history that laid bare their entire operation. Although they attempted to delete log lines between July 2 and July 4, it was weeks too late.
This blunder echoes a similar incident in March 2026, where **Ctrl-Alt-Intel** caught Russia's **Fancy Bear** (**APT28**) through a forgotten open directory, which revealed their phishing tools and logs in a campaign dubbed "Operation Roundish."
## Immediate Actions for IT Security Professionals and Users
Organizations running any of the targeted software should take immediate action. These vulnerabilities are not obscure; several are under active exploitation elsewhere.
**Wordfence** tracked tens of thousands of blocked attacks against the **Everest Forms Pro** flaw (**CVE-2026-3300**) this spring. The **Joomla JCE** bug (**CVE-2026-48907**) is a maximum-severity vulnerability that **CISA** has added to its Known Exploited Vulnerabilities list.
* **WordPress and Joomla (Critical):**
* Patch **Breeze** (**CVE-2026-3844**, fixed in 2.4.5) if the non-default "Host Files Locally β Gravatars" setting is enabled. This was the most exploited vulnerability in this campaign.
* Urgently patch the **Joomla JCE** flaw (**CVE-2026-48907**, fixed in 2.9.99.5). Despite minimal exploitation in this specific campaign, it is a maximum-severity flaw and actively exploited according to **CISA**.
* **WordPress and Joomla (Also Check):** Update **ThemeREX Addons** (**CVE-2026-1969**), **Simple File List** (**CVE-2020-36847** - *Note: reports incorrectly listed CVE-2025-34085, which is a rejected duplicate*), **Custom CSS JS PHP** (**CVE-2026-6433**), **BerqWP** (**CVE-2025-7443**), **Ninja Forms** uploads (**CVE-2026-0740**), **WavePlayer** (**CVE-2025-12057**), **WPBookit** (**CVE-2025-7852**), and **WP File Manager** (**CVE-2020-25213**).
* **Nacos:** Upgrade to version 2.2.1 or later and enable authentication (`nacos.core.auth.enabled=true`). If your instance was ever exposed, rotate all associated credentials immediately, not just the obvious ones.
* **XXL-Job and Spring Boot:** Close unauthenticated executor endpoints.