A simple operational mistake by a cybercrime group has provided researchers with an inside look at how large-scale website compromises are conducted.
According to research from SOCRadar, an internet-exposed server belonging to a threat group tracked as WP-SHELLSTORM remained publicly accessible for approximately three weeks.
“WP-SHELLSTORM is industrialized cybercrime made visible because someone left a Python SimpleHTTPServer directory open without authentication for 22 days,” said Jacob Krell, senior director, secure AI solutions and cybersecurity at SuzuLabs, in an email to eSecurityPlanet.
He added, “Many organizations still assess their external exposure only when a major Common Vulnerabilities and Exposures entry is published or during periodic vulnerability assessments.”
- Key takeaways
- How WP-SHELLSTORM compromised WordPress websites
- Known WordPress vulnerabilities fueled the attacks
- Large target lists did not equal large-scale compromise
- Webshells provided persistent access
- Researchers uncovered an earlier credential theft campaign
- Operational mistakes exposed the attackers
- How organizations can reduce risk
- Bottom Line
Key takeaways
- An exposed WP-SHELLSTORM server revealed how attackers automated large-scale WordPress website compromises using known vulnerabilities.
- The campaign primarily targeted outdated WordPress plugins and Joomla components rather than relying on zero-day exploits.
- More than 1.4 million websites appeared on attacker target lists, but researchers confirmed that far fewer were successfully compromised.
- The exposed infrastructure also uncovered an earlier campaign that stole enterprise cloud credentials before shifting to mass website backdooring.
How WP-SHELLSTORM compromised WordPress websites
WP-SHELLSTORM operated as a webshell access brokerage, compromising websites in bulk before reselling access.
Their server contained roughly 800 MB of data, including exploit tools, webshells, target lists, activity logs, and command histories.
The exposed files revealed how the group compromised vulnerable websites, providing new insight into a large-scale WordPress webshell operation.
Rather than using zero-day vulnerabilities, the group automated attacks against known flaws in outdated WordPress plugins, exposing weaknesses in WordPress website security.
Known WordPress vulnerabilities fueled the attacks
Researchers found the toolkit supported exploitation of 27 known vulnerabilities, although a small number accounted for most of the activity.
The most successful attack targeted the Breeze WordPress caching plugin (CVE-2026-3844), which attackers launched against more than 45,000 websites.
According to the group’s own logs, more than 17,000 webshells were deployed, making it one of the largest documented WordPress webshell attacks observed this year.
Breeze and Joomla vulnerabilities were key targets
However, researchers noted that the vulnerability only affects Breeze installations where the non-default “Host Files Locally – Gravatars” option is enabled, limiting the number of truly vulnerable websites.
The attackers also heavily targeted CVE-2026-48907, which is a Joomla JCE Editor vulnerability.
Large target lists did not equal large-scale compromise
The exposed data referenced more than 1.4 million websites, but researchers cautioned that this number represented scanning targets rather than confirmed victims.
One file alone contained over 587,000 Joomla domains selected for scanning.
After removing duplicates and validating successful compromises, Ctrl-Alt-Intel identified approximately 25,195 compromised websites, while SOCRadar observed more than 5,700 active webshells during its analysis.
Webshells provided persistent access
Once attackers successfully exploited a vulnerable website during the WordPress webshell attack, they installed an obfuscated webshell called down.php, which researchers believe was derived from the open-source Chinese webshell BestShell.
The backdoor enabled attackers to execute commands remotely, browse files, steal credentials, establish reverse shells, and move laterally throughout compromised environments.
For additional persistence, the operators deployed the SNOWLIGHT dropper to install VShell, a remote access tool designed to disguise itself as a legitimate Linux kernel worker process by using names such as [kworker/0:2].
Although VShell has appeared in campaigns linked to suspected Chinese state actors, researchers said it is also widely used by Chinese-speaking cybercriminals.
As a result, its presence alone does not indicate nation-state involvement.
Researchers uncovered an earlier credential theft campaign
The exposed server also revealed evidence of an earlier campaign conducted before launching the large-scale WordPress webshell attack.
According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations.
Researchers also recovered cloud credentials for AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, along with database passwords and cryptographic keys.
SOCRadar believes the sequence suggests the group first harvested enterprise credentials before shifting toward the higher volume website backdooring campaign.
Operational mistakes exposed the attackers
Despite operating a sophisticated toolkit, the threat actors made several operational security errors.
The group left an unauthenticated Python web server publicly accessible for 22 days, exposing internal command histories, FOFA search configurations, exploit scripts, and infrastructure details.
Researchers also observed evidence that the operators attempted to delete portions of the logs after realizing the exposure, but the effort came too late.
Based on Simplified Chinese found throughout the files, the use of FOFA, and the malware employed, researchers assess with moderate to high confidence that the operators are Chinese or Chinese-speaking.
However, SOCRadar believes the campaign was financially motivated rather than linked to a government-sponsored operation.
How organizations can reduce risk
Organizations responsible for WordPress website security or Joomla environments should prioritize installing the latest security updates.
To reduce the risk of similar attacks:
- Patch WordPress, Joomla, and all plugins, prioritizing vulnerabilities known to be under active exploitation based on the research.
- Remove or disable unused plugins, themes, and extensions to reduce your overall attack surface.
- Continuously monitor websites for unauthorized file changes, suspicious webshells, and other indicators of a WordPress webshell attack.
- Hunt for indicators of compromise, including suspicious files such as .bd.php, .wp-log.php, and .brq-*.php, as well as fake [kworker] processes with executable paths or network connections.
- Rotate credentials and API keys if vulnerable systems, such as exposed Nacos servers, may have been compromised.
- Test incident response plans and use simulations with scenarios around website compromise.
Collectively, these measures can help organizations reduce overall exposure and build resilience.
Bottom Line
The WP-SHELLSTORM operation serves as another reminder that effective WordPress website security depends on consistently addressing known risks, not just responding to the latest threats.
As threat actors increasingly leverage AI to identify targets and scale attacks, automated exploitation of known vulnerabilities continues to fuel large-scale WordPress webshell campaigns.
Organizations can reduce risk by combining timely patching or virtual patching, continuous monitoring, tested incident response plans, and zero trust principles that help limit the blast radius of successful compromises.





