An exposed server left unsecured by a cybercriminal operation has revealed the inner workings of a large-scale website compromise campaign targeting more than 1.4 million websites. According to research published by SOCRadar and additional reporting by The Hacker News, the infrastructure belonged to an operation now tracked as WP-SHELLSTORM, which allegedly specialized in compromising vulnerable websites and selling persistent webshell access to other threat actors.
The exposed server reportedly remained accessible on the internet for approximately three weeks and contained around 800 MB of operational data, including exploit scripts, webshells, target lists, command histories, configuration files, and logs documenting the group’s activities.
More than 1.4 million websites targeted
Researchers found target lists containing more than 1.4 million domains spanning WordPress, Joomla, and other web platforms. However, researchers cautioned that appearing on a scan list does not mean a website was successfully compromised.
According to the research, confirmed compromises represented only a small fraction of the targeted websites. Ctrl-Alt-Intel reportedly identified evidence of approximately 25,000 successful compromises after deduplication, while SOCRadar observed more than 5,700 active webshell deployments during its analysis.
The campaign primarily targeted publicly known vulnerabilities rather than zero-day exploits, relying on automated scanning to identify vulnerable systems at scale.
WordPress and Joomla flaws heavily targeted
The exposed toolkit reportedly contained exploit code for 27 publicly disclosed vulnerabilities affecting WordPress plugins, Joomla extensions, and other web applications.
Among the most heavily abused vulnerabilities were:
CVE-2026-3844affecting the WordPress Breeze caching pluginCVE-2026-48907affecting Joomla’s JCE editorCVE-2026-3300affecting Everest Forms ProCVE-2026-1969affecting ThemeREX AddonsCVE-2020-36847affecting Simple File ListCVE-2026-0740affecting Ninja Forms uploads
Researchers said the Breeze vulnerability generated the largest number of successful compromises, although exploitation required a non-default configuration that limited the number of affected installations.
Operation functioned as a webshell access broker
Rather than deploying ransomware or stealing data directly, the operators allegedly focused on installing webshells that provided persistent remote access to compromised servers. That access could then be used to execute commands, browse files, upload additional malware, steal credentials, or be sold to other cybercriminals.
The primary webshell identified during the investigation was reportedly a heavily obfuscated variant derived from the open-source Chinese webshell BestShell. Researchers also observed the deployment of the VShell backdoor using the SNOWLIGHT dropper to establish longer-term persistence on compromised systems.
Exposed infrastructure revealed operational mistakes
According to SOCRadar, the attackers inadvertently exposed one of their own servers after launching a simple Python web server without authentication. The server reportedly remained publicly accessible for 22 days before portions of the logs were deleted.
The exposed files allegedly included exploit automation, operational logs, command history, command-and-control configuration files, and infrastructure details that allowed researchers to reconstruct the group’s workflow from vulnerability scanning through post-compromise access.
Researchers also identified evidence suggesting the same operators previously targeted corporate Java environments by exploiting CVE-2021-29441 in Nacos servers to obtain cloud credentials and configuration data before pivoting to broader website compromise activity.
Attribution remains cautious
Researchers assess with medium-to-high confidence that the operators are Chinese-speaking based on language observed throughout the tooling, operational artifacts, and their use of Chinese security tools and infrastructure. However, the report does not attribute the activity to any known state-sponsored threat group.
While tooling associated with previous campaigns linked to UNC5174 was observed, researchers noted that the presence of those tools alone is insufficient to attribute the operation to a nation-state actor.
Organizations urged to patch exposed software
The research recommends that organizations running WordPress, Joomla, Nacos, and other affected software immediately apply available security updates, review systems for unauthorized webshells, rotate exposed credentials where appropriate, and investigate any signs of compromise.
The findings underscore how large-scale website compromise campaigns increasingly rely on automating exploitation of known vulnerabilities rather than discovering new ones. In this case, researchers were only able to reconstruct the operation because the attackers inadvertently exposed their own infrastructure to the public.












