Exposed Cybercrime Operations Unveiled by Oversight
A cybercriminal syndicate inadvertently left one of its servers accessible on the internet for a staggering three weeks, revealing the intricate dynamics of its operations: the hacking tools, extensive activity logs, and an alarming target list containing over 1.4 million websites.
While the actual number of breached sites was considerably lower, the disclosed documents provided researchers with a rare glimpse into the mechanics of a large-scale site-hacking enterprise.
This operation, identified as WP-SHELLSTORM, has been classified by SOCRadar as a webshell access brokerage. It specializes in mass intrusions into websites, implanting a covert backdoor (termed a “webshell”) in each, and subsequently marketing this access for profit.
The most significant activity targeted WordPress sites with outdated plugins. For those utilizing WordPress or Joomla, the vulnerabilities of chief concern involved the Breeze caching plugin and Joomla’s JCE editor; see the checklist below for further elucidation.
A Neglected Server
On June 11, 2026, two investigative teams uncovered the exposed server folder. SOCRadar’s threat intelligence division traced it to a US-based rented server at 137.175.93[.]126, which had no password protection whatsoever.
The contents spanned approximately 800MB across 434 files, including webshells, exploit scripts, scans, the operator’s command history, and configurations for command-and-control operations.
Ctrl-Alt-Intel also examined the same directory, discovering it via Hunt.io’s open-directory platform, with their findings released on June 22, prior to SOCRadar’s subsequent writeup on July 9.
The exposure resulted from a fundamental oversight: the operator initiated a simple Python web server to transfer files, unwittingly leaving it operational for 22 days.
The attackers exploited publicly recognized vulnerabilities in website plugins, predominantly within WordPress, employing automated scanners to target extensive lists curated from FOFA—a Chinese search engine tailored for internet-connected systems, akin to Shodan.
When a vulnerable version of a site was detected, the exploit could install a webshell: a petite script empowering the attacker to execute commands remotely, read sensitive files, exfiltrate passwords, and delve deeper into the network’s framework.
The toolkit encompassed 27 recognized flaws, though a select few executed the majority of intrusions
The paramount vulnerability originated from the Breeze caching plugin (CVE-2026-3844), against which the crew launched exploits targeting over 45,000 websites and claimed to backdoor more than 17,000 in return.
Decoding the Numbers
While a headline figure of 1.4 million dominates, it’s essential to underscore that this indicates the number of domains listed in the target pool, rather than the actual counts of successful breaches.
The lists encompassed WordPress, Joomla, and various other platforms, with the most significant single file containing a roster of 587,034 Joomla targets.
The true number of compromised sites was considerably lower, with the two research teams employing different methodologies in their assessments.
Ctrl-Alt-Intel’s deduplicated count identified 25,195 sites with confirmed breach evidence, meanwhile, SOCRadar, categorizing live webshells, set the current figure at over 5,700.
A notable discrepancy illustrates the divide: a Joomla vulnerability was aimed at more than 560,000 targets but successfully infiltrated merely 77 of them.
Being present on a target list does not equate to an actual compromise, a crucial distinction to maintain when confronted with alarming statistics.
The Tools of Trade and Prior Campaigns
The primary backdoor, designated down.php, was intricately obfuscated across four layers and is believed to be based on an open-source Chinese webshell known as BestShell.
Once operational, it possessed capabilities for file management, command execution, network scans, and identification of security software active on the host.
For remote access, the crew utilized a SNOWLIGHT dropper to deploy VShell—a stealthy backdoor that camouflages its process name as [kworker/0:2], blending indistinguishably with kernel threads in a process list.
These two tools trace back to prior incidents: in April 2025, Sysdig associated this SNOWLIGHT-to-VShell linkage with the suspected Chinese state group UNC5174.
Nevertheless, VShell is a widely used instrument within Chinese-speaking criminal circles, rendering its presence insufficient to assert a direct connection to state actors.
Additionally, remnants of an earlier, markedly different operation were also present on the server. SOCRadar uncovered that prior to the boisterous WordPress campaign, the same group executed a muted initiative in early May 2026, zeroing in on corporate Java systems.
They extracted 613 configuration files from 11 systems across nine sectors, including fintech, e-commerce, logistics, gaming, and electronics.
This trove encompassed cloud login credentials for AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean, as well as database passwords and Alipay RSA private keys.
The operation exploited a long-established bug in Nacos, a configuration server (CVE-2021-29441), allowing the assailant to bypass login by falsifying a solitary web header.
SOCRadar interprets this timeline as a strategic maneuver: harvesting high-value corporate credentials initially, followed by a pivot to a higher-volume backdoor operation, effectively a funding round prior to scaling up efforts.
Careless Tradecraft
Both teams express medium-to-high confidence regarding the operator’s可能性为 Chinese or Chinese-speaking. Indicators include the fluent Simplified Chinese embedded in code and command history, reliance on FOFA (which necessitates a Chinese phone number for registration), as well as the favored tooling of Godzilla and VShell in Chinese forums.
SOCRadar further posits that this crew is financially motivated rather than state-driven. Names listed in the files (tance, chen-kk, chenyk) are regarded as tenuous leads rather than definitive evidence.
A peculiar detail persists: a solitary IP address in Taiwan executed over 42,000 requests downloading the crew’s proprietary tools—potentially indicative of a secondary operator or simply a client.
Despite operating a genuinely effective toolchain, the crew exhibited a lack of precaution. They neglected to secure the server, maintained a FOFA configuration file within reach of law enforcement, and preserved an unfiltered command history detailing their operations.
Once they grew aware of being detected, between July 2 and July 4, they deleted a batch of log entries—three weeks too late.
This blunder is emblematic of similar missteps. In March 2026, the same research team apprehended Russia’s Fancy Bear (APT28) through a comparable oversight: a forgotten open directory inadvertently revealing the group’s phishing tools and logs, a campaign dubbed Operation Roundish by Hunt.io.
Taking Action

If you utilize any of the affected software, a prompt review is essential. These are not obscure vulnerabilities—two of them are presently exploited elsewhere.
- For WordPress and Joomla: promptly apply the patch for Breeze (CVE-2026-3844, rectified in 2.4.5) if the non-default “Host Files Locally – Gravatars” setting is enabled, as it was responsible for the majority of backdoors identified.
Address the Joomla JCE flaw (CVE-2026-48907, rectified in 2.9.99.5) as urgent, as it ranks as a maximum-severity threat on CISA’s actively exploited list, despite its minimal impact in this specific campaign. - Also for WordPress and Joomla: evaluate ThemeREX Addons (CVE-2026-1969), Simple File List (CVE-2020-36847), Custom CSS JS PHP (CVE-2026-6433), BerqWP (CVE-2025-7443), Ninja Forms uploads (CVE-2026-0740), WavePlayer (CVE-2025-12057), WPBookit (CVE-2025-7852), and WP File Manager (CVE-2020-25213).
Note that while both reports cite Simple File List under CVE-2025-34085, this is a now-rejected duplicate; the authentic ID is CVE-2020-36847. - Nacos: update to version 2.2.1 or newer and ensure that authentication is activated (nacos.core.auth.enabled=true). If your instance has been previously exposed, rotate all credentials within, not solely the evident ones.
- For XXL-Job and Spring Boot: ensure unauthenticated executor endpoints are closed and disable /actuator/heapdump in production systems.
- Investigate for backdoors: search for filename patterns linked to the crew’s webshells, such as .bd.php, .wp-log.php, and .brq-*.php. Subsequently, examine any ongoing processes named [kworker/X:Y].
An authentic kernel thread runs without its own executable, thus its /proc//exe will display nothing.
It lacks both a command line and network sockets. A [kworker] exhibiting any anomalies is a counterfeit. Block the recognized infrastructure: 137.175.93[.]126, 43.108.17[.]80, and the domain xs.xxooonline[.]eu[.]cc.
What elevates WP-SHELLSTORM’s significance is not its sophistication, but its ordinariness. The combination of public exploits, automated scanning, and an extensive target list was sufficient for large-scale compromises, all without reliance on unpatched zero-day vulnerabilities.
The particulars are public solely due to the group’s failure to secure their own server.
The Hacker News is currently pursuing additional insights from SOCRadar regarding their discoveries and will enhance this report with any subsequent feedback.
Source link: Thehackernews.com.




