A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation’s inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites.
Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside.
The operation, now tracked as WP-SHELLSTORM, is what SOCRadar calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a “webshell”) on each, and packages that access for resale.
The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla’s JCE editor; skip to the checklist below if that’s you.
A forgotten server
Two teams dug into the same exposed folder. SOCRadar’s threat intelligence team spotted it on June 11, 2026, on a US-based rented server at 137.175.93[.]126 with no password on it at all. Inside was roughly 800MB across 434 files: webshells, exploit scripts, scan results, the operator’s typed command history, and command-and-control settings.
Ctrl-Alt-Intel had analyzed the same directory too, having found it on Hunt.io’s open-directory platform, and published on June 22, weeks before SOCRadar’s own July 9 writeup. The exposure came down to a basic slip: the operator started a simple Python web server to move files around and left it running for 22 days.
The crew took publicly known bugs in website plugins, most of them in WordPress, and built automated scanners to fire those exploits at massive target lists pulled from FOFA, a Chinese search engine for internet-connected systems, similar to Shodan.
Where a site ran a vulnerable version, the exploit could upload a webshell: a small script that lets the attacker run commands on the server from anywhere, read files, steal passwords, and move deeper into the network.
The toolkit covered 27 known flaws, though a handful did most of the work. The biggest producer was a bug in the Breeze caching plugin (CVE-2026-3844), which the crew fired at more than 45,000 targets and, by its own count, backdoored over 17,000 of them.
That one comes with a catch: it only works when a non-default “Host Files Locally – Gravatars” setting is switched on, so most Breeze installs were never exposed.
The numbers, in plain terms
The headline figure needs a caveat. The 1.4 million count is how many domains were on the target lists, not how many were broken into, and those lists spanned WordPress, Joomla, and other platforms. The single largest file was a list of 587,034 Joomla targets.
The number actually compromised was far smaller, and the two research teams measured it differently: Ctrl-Alt-Intel’s deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.
One flaw shows the gap plainly: a Joomla bug was fired at more than 560,000 targets but landed on only 77 of them.
Being on someone’s scan list is not the same as being hacked. Keep that in mind whenever a report leads with a frightening target number.
The tooling and an earlier campaign
The main backdoor, a file named down.php, was heavily obfuscated, four layers deep, and appears to be derived from an open-source Chinese webshell called BestShell. Once running, it could manage files, run commands, open reverse shells, scan the network, and check which security software the host was running.
For its own remote access, the crew used a SNOWLIGHT dropper to install VShell, a stealthy backdoor that disguises its process name as [kworker/0:2] to blend in with the kernel threads in a process list.
Those two tools have a history: in April 2025, Sysdig linked this SNOWLIGHT-to-VShell chain to the suspected Chinese state group UNC5174, activity THN covered at the time. VShell itself, though, is a common tool in Chinese-speaking criminal circles, so its presence alone doesn’t point to a state actor.
The server also held traces of an earlier, very different job. SOCRadar found that before the noisy WordPress spree, the same crew ran a quieter campaign in early May 2026 against corporate Java systems. It pulled 613 configuration files from 11 systems across nine companies in fintech, e-commerce, logistics, gaming, and electronics.
The haul included cloud login keys for AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean, database passwords, and Alipay RSA private keys. It leaned on an old, well-known bug in Nacos, a configuration server (CVE-2021-29441), that lets an attacker skip the login by faking a single web header.
SOCRadar reads the timing as a sequence: grab high-value corporate credentials first, then pivot weeks later to the higher-volume backdoor work, a funding round before scaling up.
Sloppy tradecraft
Both teams assess with medium-to-high confidence that the operator is Chinese or Chinese-speaking. They point to the fluent Simplified Chinese throughout the code and command history, the reliance on FOFA (which the researchers note needs a Chinese phone number to register), and the Godzilla and VShell tooling favored in Chinese-speaking forums.
SOCRadar goes a step further, reading the crew as financially motivated rather than state-directed. Names in the files (tance, chen-kk, chenyk) are treated as loose leads, not proof. One loose end stands out: a single IP address in Taiwan made more than 42,000 requests downloading the crew’s own tools. It could be a second operator, a customer, or another researcher. The logs cannot settle it.
For a group running a genuinely capable toolchain, the crew was careless. It left the server open, left a FOFA config file that FOFA can trace through its law-enforcement channel, and left an unedited command history that laid the whole thing out. When it finally noticed it had been spotted, sometime between July 2 and July 4, it deleted a batch of log lines. Three weeks too late.
The blunder is a familiar one. In March 2026, the same research shop caught Russia’s Fancy Bear (APT28) the same way: a forgotten open directory spilled the group’s phishing tools and logs, in a campaign Hunt.io called Operation Roundish.
What to do now
If you run any of the targeted software, check it today. These are not obscure bugs: two of them are under active exploitation elsewhere.
Wordfence tracked tens of thousands of blocked attacks against the Everest Forms Pro flaw (CVE-2026-3300) this spring, and the Joomla JCE bug (CVE-2026-48907) is a maximum-severity flaw CISA has added to its Known Exploited Vulnerabilities list.
- WordPress and Joomla, first: patch Breeze (CVE-2026-3844, fixed in 2.4.5) if the non-default “Host Files Locally – Gravatars” setting is on; it produced the most backdoors here. Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA’s actively-exploited list, even though it barely landed in this campaign.
- WordPress and Joomla, also check: ThemeREX Addons (CVE-2026-1969), Simple File List (CVE-2020-36847), Custom CSS JS PHP (CVE-2026-6433), BerqWP (CVE-2025-7443), Ninja Forms uploads (CVE-2026-0740), WavePlayer (CVE-2025-12057), WPBookit (CVE-2025-7852), and WP File Manager (CVE-2020-25213). Both reports list Simple File List under CVE-2025-34085, a now-rejected duplicate; the valid ID is CVE-2020-36847.
- Nacos: upgrade to 2.2.1 or later and turn authentication on (nacos.core.auth.enabled=true). If your instance was ever exposed, rotate every credential that lived in it, not just the obvious ones.
- XXL-Job and Spring Boot: close unauthenticated executor endpoints and disable /actuator/heapdump in production.
- Hunt for the backdoors: search for the crew’s webshell filename patterns, such as .bd.php, .wp-log.php, and .brq-*.php. Then check any process named [kworker/X:Y]. A real kernel thread runs no program of its own, so its /proc/
/exe points to nothing. It also has no command line and no network sockets. A [kworker] that shows any of these is an impostor. Block the known infrastructure: 137.175.93[.]126, 43.108.17[.]80, and the domain xs.xxooonline[.]eu[.]cc.
What makes WP-SHELLSTORM worth attention is not how advanced it is, but how ordinary. Public exploits, automated scanning, and a target list a million lines long were enough to compromise sites at scale, no zero-day required. The details are public only because the crew forgot to close its own server.
The Hacker News has reached out to SOCRadar for further details on their findings and will update this story with any response.