LAST UPDATED Loading...

Researchers Expose Infrastructure Behind WP-SHELLSTORM Webshell Campaign

An exposed attacker server gave researchers a rare look inside WP-SHELLSTORM, a large-scale operation that allegedly compromised thousands of WordPress and Joomla websites.
Illustration depicting a Linux terminal on an exposed server displaying directories, target lists, and logs associated with a large-scale webshell operation, with server racks visible in the background to represent the infrastructure behind the WP-SHELLSTORM campaign.

An exposed server left unsecured by a cybercriminal operation has revealed the inner workings of a large-scale website compromise campaign targeting more than 1.4 million websites. According to research published by SOCRadar and additional reporting by The Hacker News, the infrastructure belonged to an operation now tracked as WP-SHELLSTORM, which allegedly specialized in compromising vulnerable websites and selling persistent webshell access to other threat actors.

The exposed server reportedly remained accessible on the internet for approximately three weeks and contained around 800 MB of operational data, including exploit scripts, webshells, target lists, command histories, configuration files, and logs documenting the group’s activities.

More than 1.4 million websites targeted

Researchers found target lists containing more than 1.4 million domains spanning WordPress, Joomla, and other web platforms. However, researchers cautioned that appearing on a scan list does not mean a website was successfully compromised.

According to the research, confirmed compromises represented only a small fraction of the targeted websites. Ctrl-Alt-Intel reportedly identified evidence of approximately 25,000 successful compromises after deduplication, while SOCRadar observed more than 5,700 active webshell deployments during its analysis.

The campaign primarily targeted publicly known vulnerabilities rather than zero-day exploits, relying on automated scanning to identify vulnerable systems at scale.

WordPress and Joomla flaws heavily targeted

The exposed toolkit reportedly contained exploit code for 27 publicly disclosed vulnerabilities affecting WordPress plugins, Joomla extensions, and other web applications.

Among the most heavily abused vulnerabilities were:

  • CVE-2026-3844 affecting the WordPress Breeze caching plugin
  • CVE-2026-48907 affecting Joomla’s JCE editor
  • CVE-2026-3300 affecting Everest Forms Pro
  • CVE-2026-1969 affecting ThemeREX Addons
  • CVE-2020-36847 affecting Simple File List
  • CVE-2026-0740 affecting Ninja Forms uploads

Researchers said the Breeze vulnerability generated the largest number of successful compromises, although exploitation required a non-default configuration that limited the number of affected installations.

Operation functioned as a webshell access broker

Rather than deploying ransomware or stealing data directly, the operators allegedly focused on installing webshells that provided persistent remote access to compromised servers. That access could then be used to execute commands, browse files, upload additional malware, steal credentials, or be sold to other cybercriminals.

The primary webshell identified during the investigation was reportedly a heavily obfuscated variant derived from the open-source Chinese webshell BestShell. Researchers also observed the deployment of the VShell backdoor using the SNOWLIGHT dropper to establish longer-term persistence on compromised systems.

Exposed infrastructure revealed operational mistakes

According to SOCRadar, the attackers inadvertently exposed one of their own servers after launching a simple Python web server without authentication. The server reportedly remained publicly accessible for 22 days before portions of the logs were deleted.

The exposed files allegedly included exploit automation, operational logs, command history, command-and-control configuration files, and infrastructure details that allowed researchers to reconstruct the group’s workflow from vulnerability scanning through post-compromise access.

Researchers also identified evidence suggesting the same operators previously targeted corporate Java environments by exploiting CVE-2021-29441 in Nacos servers to obtain cloud credentials and configuration data before pivoting to broader website compromise activity.

Attribution remains cautious

Researchers assess with medium-to-high confidence that the operators are Chinese-speaking based on language observed throughout the tooling, operational artifacts, and their use of Chinese security tools and infrastructure. However, the report does not attribute the activity to any known state-sponsored threat group.

While tooling associated with previous campaigns linked to UNC5174 was observed, researchers noted that the presence of those tools alone is insufficient to attribute the operation to a nation-state actor.

Organizations urged to patch exposed software

The research recommends that organizations running WordPress, Joomla, Nacos, and other affected software immediately apply available security updates, review systems for unauthorized webshells, rotate exposed credentials where appropriate, and investigate any signs of compromise.

The findings underscore how large-scale website compromise campaigns increasingly rely on automating exploitation of known vulnerabilities rather than discovering new ones. In this case, researchers were only able to reconstruct the operation because the attackers inadvertently exposed their own infrastructure to the public.

X
LinkedIn
Reddit
Telegram
WhatsApp
Threads
Facebook
Email
Print
Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map