Hacker Exploit Uncovers WP‑SHELLSTORM Backdoor Infecting Thousands of WordPress Sites

0
3

Key Takeaways

  • A cybercrime crew left a server exposed for three weeks, revealing webshells, exploit scripts, target lists (≈1.4 M domains) and internal logs.
  • The operation, dubbed WP‑SHELLSTORM, functions as a webshell access brokerage: it scans for vulnerable plugins, plants backdoors, and sells the access.
  • The most productive flaw was CVE‑2026‑3844 in the Breeze caching plugin (requires a non‑default “Host Files Locally – Gravatars” setting), yielding >17 k compromised sites out of 45 k scanned.
  • Confirmed compromises are far lower than the target list size: researchers found between ~5.7 k active webshells and ~25 k deduplicated compromised sites.
  • The crew used publicly known exploits, automated scanners pulling targets from FOFA, and a sophisticated, obfuscated webshell (down.php) plus a SNOWLIGHT‑to‑VShell dropper chain previously linked to suspected Chinese state activity.
  • Traces of an earlier, quieter campaign against corporate Java systems (Nacos CVE‑2021‑29441) showed the group first harvested high‑value cloud credentials before scaling to mass site hacking.
  • Sloppy tradecraft—open directory, unedited command history, FOFA config left behind—allowed researchers to reconstruct the whole operation.
  • Mitigations: patch Breeze, Joomla JCE, and other listed plugins; upgrade Nacos with authentication; disable unauthenticated executor endpoints; hunt for specific webshell filename patterns and impostor [kworker] processes; block known malicious IPs/domains.

Overview of the Exposure
In June 2026, threat‑intelligence teams from SOCRadar and Ctrl‑Alt‑Intel independently discovered an open directory on a US‑based rented server (IP 137.175.93[.]126) that had no password protection. The server had been running a simple Python web server for file transfers and remained accessible for 22 days. Inside the roughly 800 MB of data were 434 files containing webshells, exploit scripts, scan results, the operator’s command history, and command‑and‑control configurations. This inadvertent leak gave researchers a rare, inside‑look at how a large‑scale site‑hacking operation functions.


The WP‑SHELLSTORM Operation
The exposed material revealed a service SOCRadar labels a “webshell access brokerage.” The crew identifies vulnerable websites—primarily WordPress and Joomla installations—using known plugin flaws, uploads a hidden backdoor (a webshell) to each compromised site, and then bundles that access for resale to other criminals. The business model relies on volume: by automating exploitation across massive target lists, the group can generate a steady stream of sellable footholds without needing zero‑day exploits.


The Forgotten Server and Its Contents
The exposed folder held the core tools of the operation. Among them were exploit scripts targeting 27 known vulnerabilities, scan results harvested from FOFA (a Chinese search engine for internet‑connected systems analogous to Shodan), and a detailed command‑line history that showed exactly how the operator launched scans, uploaded webshells, and managed compromised hosts. Also present were configuration files for the crew’s own command‑and‑control infrastructure, giving investigators a map of the servers used to communicate with planted backdoors.


Toolkit and Exploits
The crew’s exploit kit focused on outdated plugins. The single most effective bug was CVE‑2026‑3844 in the Breeze caching plugin, which only works when the non‑default “Host Files Locally – Gravatars” option is enabled. Using this flaw, the crew fired at more than 45 000 targets and claimed to have backdoored over 17 000 sites. Other notable flaws included a Joomla JCE editor vulnerability (CVE‑2026‑48907) and several WordPress plugins such as Everest Forms Pro, ThemeREX Addons, and WP File Manager. The kit covered 27 CVEs in total, but a handful accounted for the bulk of successful compromises.


Compromise Numbers: Targets vs. Actual Hits
The target lists disclosed in the leak named roughly 1.4 million domains across WordPress, Joomla, and other platforms. However, being on a scan list does not equate to being hacked. Ctrl‑Alt‑Intel’s deduplicated analysis found 25 195 sites with confirmed or validated compromise evidence, while SOCRadar, counting only active webshells observed at the time of discovery, estimated a live figure of 5 700‑plus compromised hosts. One illustrative example: a Joomla bug was aimed at more than 560 000 targets but succeeded on only 77 of them, underscoring the gap between exposure and actual breach.


Tooling and an Earlier Campaign
The primary webshell, named down.php, employed four layers of obfuscation and is derived from the open‑source Chinese webshell BestShell. It provides file management, command execution, reverse‑shell capabilities, network scanning, and security‑software detection. For persistent remote access, the crew used a SNOWLIGHT dropper to install VShell, a stealthy backdoor that masquerades as a kernel thread ([kworker/0:2]) in process listings. This SNOWLIGHT‑to‑VShell chain had previously been linked by Sysdig to the suspected Chinese state group UNC5174, although VShell itself is widely used in Chinese‑speaking criminal circles.

In addition to the mass‑site operation, the server contained artifacts from an earlier, low‑profile campaign in early May 2026 targeting corporate Java systems. The crew exploited CVE‑2021‑29441 in Nacos—a configuration server—to bypass authentication and exfiltrate 613 configuration files from 11 systems across nine companies (fintech, e‑commerce, logistics, gaming, electronics). The stolen data included cloud login keys (AWS, Alibaba Cloud, Oracle, Tencent, DigitalOcean), database passwords, and Alipay RSA private keys. SOCRadar interprets this as a two‑phase strategy: first harvest high‑value corporate credentials, then pivot weeks later to the higher‑volume, lower‑value webshell brokerage to monetize the access.


Sloppy Tradecraft Attributed to the Crew
Both research teams assess with medium‑to‑high confidence that the operator is Chinese or Chinese‑speaking, citing fluent Simplified Chinese in the code and command logs, reliance on FOFA (which requires a Chinese phone number for registration), and the use of Godzilla and VShell tooling prevalent in Chinese‑speaking forums. SOCRadar further characterizes the crew as financially motivated rather than state‑directed, treating names such as “tance,” “chen‑kk,” and “chenyk” as tentative leads. A notable loose end is a single IP address in Taiwan that made over 42 000 requests for the crew’s own tools—possibly a second operator, a customer, or another researcher.

Despite possessing a capable toolchain, the crew exhibited critical operational security failures: leaving the directory exposed, retaining a FOFA configuration file that could be traced via FOFA’s law‑enforcement channels, and preserving an unedited command history that laid out the entire operation. When the crew finally noticed the exposure (between July 2 and July 4, 2026), it attempted to delete some log lines—three weeks too late to prevent the leak. This mirrors a prior incident in‑similar mistake observed in March 2026 when SOCRadar caught Russia’s Fancy Bear (APT28) via an open directory that spilled phishing tools and logs (Hunt.io’s “Operation Roundish”).


Recommendations and Mitigations
Organizations running the affected software should act immediately:

  • WordPress & Joomla: Patch Breeze (CVE‑2026‑3844) to version 2.4.5 or later if the “Host Files Locally – Gravatars” setting is enabled. Treat the Joomla JCE flaw (CVE‑2026‑48907, fixed in 2.9.99.5) as urgent; it is a maximum‑severity flaw on CISA’s Known Exploited Vulnerabilities list.
  • Additional Plugins: Update or mitigate ThemeREX Addons (CVE‑2026‑1969), Simple File List (CVE‑2020‑36847), Custom CSS JS PHP (CVE‑2026‑6433), BerqWP (CVE‑2025‑7443), Ninja Forms uploads (CVE‑2026‑0740), WavePlayer (CVE‑2025‑12057), WPBookit (CVE‑2025‑7852), and WP File Manager (CVE‑2020‑25213). Note that Simple File List appears under both CVE‑2025‑34085 (now rejected) and the valid CVE‑2020‑36847.
  • Nacos: Upgrade to version 2.2.1 or later and enable authentication (nacos.core.auth.enabled=true). If the instance was ever exposed, rotate every credential stored therein—not just the obvious ones.
  • XXL‑Job & Spring Boot: Close unauthenticated executor endpoints and disable /actuator/heapdump in production.
  • Hunt for Backdoors: Search for the crew’s webshell filename patterns (.bd.php, .wp-log.php, .brq-*.php). Any process named [kworker/X:Y] that shows an executable path, command line, or network sockets is an impostor; legitimate kernel threads have none of these. Block the known malicious infrastructure: IPs 137.175.93[.]126, 43.108.17[.]80, and the domain xs.xxooonline[.]eu[.]cc.

Applying these patches and monitoring controls will significantly reduce the risk of falling victim to WP‑SHELLSTORM’s automated exploitation pipeline.


Conclusion
WP‑SHELLSTORM illustrates how a financially motivated cybercrime group can achieve substantial impact using nothing more than publicly known vulnerabilities, automated scanners, and massive target lists. The operation’s success hinged on volume rather than sophistication, and its downfall was a simple operational misstep: an unprotected server left online for three weeks. The incident serves as a stark reminder that even routine administrative oversights—such as forgetting to secure a temporary file‑sharing service—can expose an entire criminal ecosystem, giving defenders the intelligence needed to disrupt it. By patching the identified flaws, tightening exposed services, and actively hunting for the characteristic webshell artifacts, organizations can neutralize the threat before it scales.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here