An inadvertent operational blunder by a cybercriminal entity has afforded cybersecurity researchers a unique glimpse into the mechanisms behind large-scale website infiltrations.
Research conducted by SOCRadar revealed that a server belonging to a threat group identified as WP-SHELLSTORM was inadvertently left exposed to the internet for a duration of approximately three weeks.
Jacob Krell, senior director of secure AI solutions and cybersecurity at SuzuLabs, stated in correspondence with eSecurityPlanet, “WP-SHELLSTORM epitomizes industrialized cybercrime rendered visible due to someone neglecting to secure a Python SimpleHTTPServer directory for 22 days.”
He further remarked, “Numerous organizations typically evaluate their external vulnerabilities exclusively after a significant Common Vulnerabilities and Exposures publication or during scheduled vulnerability assessments.”
Key Takeaways from the Hack
- The exposed WP-SHELLSTORM server illuminated how attackers automated extensive compromises of WordPress websites by exploiting known vulnerabilities.
- The campaign primarily focused on outdated WordPress plugins and Joomla components instead of relying on zero-day exploits.
- Although over 1.4 million websites were enumerated on the attackers’ target lists, researchers affirmed that far fewer fell victim to the campaign.
- The disclosed infrastructure also shed light on a prior initiative that pilfered enterprise cloud credentials prior to transitioning to mass website backdooring.
How WP-SHELLSTORM Compromised WordPress Websites
WP-SHELLSTORM functioned as a webshell access brokerage, facilitating the wholesale compromise of websites before reselling access.
Their server housed approximately 800 MB of data, comprising exploit tools, webshells, target lists, activity logs, and command histories.
The exposed files elucidated the methodology employed by the group to infiltrate vulnerable websites, providing critical insight into a vast WordPress webshell operation.
Rather than deploying zero-day vulnerabilities, the group automated their assaults against known weaknesses in outdated WordPress plugins, thereby spotlighting significant security flaws within WordPress websites.
Known WordPress Vulnerabilities Fueled the Attacks
Researchers noted that the toolkit facilitated the exploitation of 27 known vulnerabilities, with a select few accounting for the majority of the activity. Notably, the most successful attack targeted the Breeze WordPress caching plugin (CVE-2026-3844), which was exploited across more than 45,000 websites.
The group’s internal logs indicated that over 17,000 webshells were deployed, rendering it one of the most extensive documented WordPress webshell assaults witnessed this year.
Breeze and Joomla Vulnerabilities Were Key Targets
However, researchers cautioned that the vulnerability specifically affects only Breeze installations where the non-default “Host Files Locally – Gravatars” option is activated, thus narrowing the pool of genuinely vulnerable websites.
Additionally, the attackers targeted CVE-2026-48907, a vulnerability within the Joomla JCE Editor.
Large Target Lists Did Not Equal Large-Scale Compromise
While the exposed data referenced over 1.4 million websites, researchers cautioned that this figure merely indicated scanning targets rather than confirmed victims.
One document cataloged more than 587,000 Joomla domains earmarked for scanning.
After filtering out duplicates and validating successful compromises, Ctrl-Alt-Intel estimated around 25,195 compromised websites, whereas SOCRadar identified more than 5,700 active webshells during their investigation.
Webshells Provided Persistent Access
Upon successfully compromising a vulnerable website during the WordPress webshell attack, the perpetrators installed an obfuscated webshell known as down.php, believed to be derived from the open-source Chinese webshell BestShell.
This backdoor granted attackers the capability to execute commands remotely, navigate files, capture credentials, establish reverse shells, and maneuver laterally within the compromised environment.
To bolster persistence, the operators deployed the SNOWLIGHT dropper to install VShell, a remote access tool masquerading as a legitimate Linux kernel worker process through designations such as [kworker/0:2].
Although VShell has been associated with campaigns attributed to suspected Chinese state actors, researchers emphasized that its use is also prevalent among Chinese-speaking cybercriminals, meaning its mere presence does not implicate state sponsorship.
Researchers Uncovered an Earlier Credential Theft Campaign
The exposed server also unveiled indications of a preceding campaign carried out prior to the large-scale WordPress webshell assault.
According to SOCRadar, the group initially targeted vulnerable Nacos configuration servers utilizing CVE-2021-29441, allowing them to bypass authentication and pilfer configuration data from organizations.
Researchers further retrieved cloud credentials for various services, including AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, along with database passwords and cryptographic keys.
SOCRadar posits that this progression implies the group initially harvested enterprise credentials before transitioning to a more expansive website backdooring campaign.
Operational Mistakes Exposed the Attackers
Despite wielding a sophisticated toolkit, the threat actors committed several operational security missteps.
The group left an unauthenticated Python web server exposed for 22 days, inadvertently revealing internal command histories, FOFA search configurations, exploit scripts, and infrastructure details.
Researchers noted attempts by the operators to eliminate portions of the logs upon realizing their exposure, yet these actions were ultimately too late.
Given the presence of Simplified Chinese within the files, the employment of FOFA, and the malware utilized, researchers assess with moderate to high confidence that the operators are either Chinese or Chinese-speaking.
However, SOCRadar argues that the campaign is primarily financially motivated rather than indicative of a government-sponsored endeavor.
How Organizations Can Reduce Risk
Organizations tasked with securing WordPress websites or Joomla environments ought to prioritize the installation of the latest security updates.

To mitigate the risk of analogous attacks:
- Patch WordPress, Joomla, and all plugins, targeting vulnerabilities known to be actively exploited according to recent findings.
- Remove or disable unused plugins, themes, and extensions to minimize the overall attack surface.
- Continuously monitor websites for unauthorized file modifications, suspicious webshells, and other signs indicative of a WordPress webshell attack.
- Investigate indicators of compromise, including suspicious files such as .bd.php, .wp-log.php, and .brq-*.php, as well as fraudulent [kworker] processes with executable paths or network connections.
- Rotate credentials and API keys if vulnerable systems, such as exposed Nacos servers, are suspected of compromise.
- Test incident response plans and conduct simulations addressing potential scenarios surrounding website compromises.
Collectively, these strategies can assist organizations in reducing overall exposure and cultivating resilience.
Source link: Techrepublic.com.




