Exposed Server Reveals WP-SHELLSTORM Backdoored 25,000 WordPress Sites
A misconfigured hacker server exposed 22 days of logs revealing a webshell access-brokerage operation that compromised over 25,000 WordPress sites using 27 weaponized CVEs.
A misconfigured hacker server sat exposed for 22 days, inadvertently documenting a large-scale webshell operation that compromised over 25,000 WordPress sites. SOCRadar's threat intelligence team discovered the unsecured directory on June 11, 2026, finding approximately 800MB of files including webshells, exploit scripts, scan results, and command logs.
The operation, now tracked as WP-SHELLSTORM, represents what researchers call a "webshell access brokerage"—a crew that systematically compromises websites, plants hidden backdoors, and packages that access for resale to other threat actors.
How the Operation Was Exposed
The threat actors left a Python web server running at 137.175.93[.]126 on a US-based VPS without authentication. The exposed files included their complete operational toolkit: 27 CVE exploits, target lists covering 1.4 million domains, successful compromise logs, and bash history revealing their commands.
After researchers began documenting the exposure, the operators noticed on July 2 and attempted to cover their tracks. Access logs showed line counts dropping sharply as entries covering July 2-4 were deleted. But by then, three weeks of operational data had already been captured.
Scale of Compromise
Analysis of the exposed data revealed conflicting figures depending on how compromises were counted:
- Target lists contained approximately 1.4 million domains across WordPress, Joomla, and other CMS platforms
- Ctrl-Alt-Intel's deduplicated analysis found 25,195 sites with confirmed compromise evidence
- SOCRadar counted 5,700+ active webshells still functioning at discovery
The gap between targets scanned and actual compromises reflects typical conversion rates for automated exploitation. Most targets were either already patched, running unaffected configurations, or otherwise not vulnerable to the specific CVEs being exploited.
Primary Attack Vector: CVE-2026-3844
The Breeze caching plugin vulnerability proved the operation's most effective tool. According to the exposed logs, the crew fired at over 45,000 Breeze installations and successfully backdoored more than 17,000 of them.
The catch: CVE-2026-3844 only works when a non-default "Host Files Locally – Gravatars" setting is enabled. This explains the relatively modest conversion rate despite the large target list.
Other heavily exploited vulnerabilities included JCE Editor (CVE-2026-48907) targeting Joomla sites, Simple File List (CVE-2020-36847), and Nacos configuration server (CVE-2021-29441).
Webshell Deployment and Persistence
Successful exploits uploaded down.php, a heavily obfuscated webshell derived from the BestShell framework. The backdoor enables file management, command execution, and network reconnaissance—everything needed for an access broker to demonstrate control to potential buyers.
Researchers identified several indicators of compromise:
- Webshell filenames matching patterns:
.bd.php,.wp-log.php,.brq-*.php - Fake kernel processes:
[kworker/X:Y]showing actual network activity - Additional infrastructure at 43.108.17[.]80 and xs.xxooonline[.]eu[.]cc
Attribution and Operational Profile
Code comments in fluent Simplified Chinese and usage of FOFA (a Chinese network reconnaissance platform) led researchers to assess the operators as Chinese or Chinese-speaking. The operation showed sophisticated tooling combined with careless operational security—a common pattern where technical skill outpaces tradecraft discipline.
This incident parallels the ACSC warning about global CMS exploitation campaigns issued on July 9. Australian authorities noted that similar automated scanning operations are targeting WordPress and Joomla installations worldwide, with webshell deployment as the primary objective.
Recommendations for WordPress Administrators
- Update all plugins immediately, particularly Breeze (to 2.2.5+), JCE Editor, and Simple File List
- Search for webshell indicators including the filename patterns listed above
- Check for unfamiliar admin users that may have been created during compromise
- Review server processes for suspicious kernel-named processes with network activity
- Enable automatic plugin updates where operationally feasible
For organizations managing multiple WordPress sites, consider implementing a centralized patch management system and regular webshell scanning. See our malware defense guide for additional hardening recommendations.
The WP-SHELLSTORM exposure offers a rare window into how automated access-brokerage operations function at scale. The same techniques being used against WordPress are equally applicable to any CMS platform with exploitable plugins.
Related Articles
The Gentlemen Ransomware Gang Gets a Taste of Its Own Medicine
Internal database of #2 ransomware group leaked after 4VPS hosting breach exposes chat logs, affiliate rosters, and operational playbooks from 400+ attacks.
May 17, 2026Exposed SystemBC Server Reveals 1,570+ Hidden Ransomware Victims
Check Point researchers gained access to a SystemBC C2 server operated by The Gentlemen ransomware group, uncovering over 1,570 compromised corporate networks that haven't been publicly disclosed.
Apr 23, 2026Attackers Mapped 91,000+ AI Endpoints in Mass Recon Campaign
GreyNoise honeypot data reveals coordinated reconnaissance of LLM infrastructure including OpenAI, Claude, and Ollama deployments over 11 days.
Jan 14, 2026Ransomware Groups to Watch in 2025-2026
Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.
Jan 10, 2026