Cybercrime Crew’s Exposed Server Reveals Mass Webshell Operation Targeting 1.4 Million Sites
A cybercrime group, tracked as WP-SHELLSTORM, inadvertently exposed its operations for three weeks after leaving an unsecured server online. The incident, discovered by researchers at SOCRadar and Ctrl-Alt-Intel, provided an unprecedented look into a webshell access brokerage a scheme where attackers compromise websites en masse, install backdoors, and sell access to other criminals.
The Exposure
On June 11, 2026, SOCRadar identified an unprotected server (IP: 137.175.93[.]126) hosting 800MB of data, including:
- Hacking tools (exploit scripts, webshells)
- Activity logs (command histories, scan results)
- Target lists naming 1.4 million websites (WordPress, Joomla, and others)
- Command-and-control (C2) configurations
The server, rented in the U.S., was left open due to a Python web server left running for 22 days a simple but costly oversight. Ctrl-Alt-Intel independently analyzed the same directory, publishing findings on June 22, before SOCRadar’s July 9 report.
The Attack Method
The group exploited 27 known vulnerabilities, primarily in WordPress plugins, to deploy webshells small scripts granting remote control over compromised servers. Key flaws included:
- Breeze caching plugin (CVE-2026-3844) – Exploited against 45,000+ sites, successfully backdooring 17,000+ (only effective with a non-default setting enabled).
- Joomla JCE editor (CVE-2026-48907) – Targeted 560,000+ sites but only breached 77.
- Other WordPress plugins (e.g., ThemeREX Addons, Simple File List, WP File Manager).
The attackers used FOFA, a Chinese search engine for internet-connected systems, to build target lists. Their toolkit included:
- down.php – A heavily obfuscated webshell derived from BestShell (open-source Chinese malware).
- VShell – A stealthy backdoor disguised as a kernel process ([kworker/0:2]) to evade detection.
Compromise Scale
While the 1.4 million figure represents targets, not breaches, researchers confirmed:
- Ctrl-Alt-Intel: 25,195 sites with evidence of compromise.
- SOCRadar: 5,700+ active webshells.
Earlier Corporate Espionage Campaign
Before the WordPress spree, the same group ran a quieter operation in May 2026, targeting Java-based corporate systems via a Nacos configuration server flaw (CVE-2021-29441). They extracted:
- 613 configuration files from 11 systems across nine companies (fintech, e-commerce, logistics, gaming, electronics).
- Cloud credentials (AWS, Alibaba, Oracle, Tencent, DigitalOcean).
- Database passwords and Alipay RSA private keys.
SOCRadar suggests this was a "funding round" before scaling up the higher-volume webshell operation.
Attribution & Sloppy Tradecraft
Researchers assess with medium-to-high confidence that the group is Chinese or Chinese-speaking, citing:
- Simplified Chinese in code and command logs.
- Use of FOFA (requiring a Chinese phone number for registration).
- Tools like Godzilla and VShell, common in Chinese-speaking cybercrime forums.
Despite a sophisticated toolchain, the group made basic errors:
- Left the server unprotected for weeks.
- Exposed a FOFA config file, traceable via law enforcement.
- Failed to sanitize command histories, revealing the full operation.
When alerted, the group deleted log entries between July 2–4, but the damage was already done.
Broader Implications
WP-SHELLSTORM stands out not for its technical sophistication, but for its scale and opportunism. Using publicly known vulnerabilities and automated scanning, the group compromised thousands of sites without needing zero-days.
The incident mirrors a March 2026 exposure of Russia’s APT28 (Fancy Bear), where an open directory revealed phishing tools and logs. In both cases, human error not advanced hacking led to the unraveling of major cybercrime operations.
Source: https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
Oracle Security cybersecurity rating report: https://www.rankiteo.com/company/oracle-security
Joomla! cybersecurity rating report: https://www.rankiteo.com/company/joomla
Managed-WP. cybersecurity rating report: https://www.rankiteo.com/company/managed-wp
Wpmet cybersecurity rating report: https://www.rankiteo.com/company/wpmet
DigitalOcean cybersecurity rating report: https://www.rankiteo.com/company/digitalocean
Shield Security for WordPress cybersecurity rating report: https://www.rankiteo.com/company/theshieldsecurity
"id": "ORAJOOMANWPMDIGTHE1783693992",
"linkid": "oracle-security, joomla, managed-wp, wpmet, digitalocean, theshieldsecurity",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': ['Technology',
'Retail',
'Logistics',
'Gaming',
'Electronics'],
'type': ['Fintech',
'E-commerce',
'Logistics',
'Gaming',
'Electronics']},
{'customers_affected': '1.4 million websites targeted, '
'25,195+ confirmed compromised',
'industry': ['Various'],
'type': 'Websites'}],
'attack_vector': ['Exploiting known vulnerabilities',
'Automated scanning',
'Webshell deployment'],
'data_breach': {'data_exfiltration': 'Yes (data sold on dark web implied)',
'file_types_exposed': ['Configuration files',
'Logs',
'Webshell scripts'],
'number_of_records_exposed': '613 configuration files from 11 '
'systems; 1.4 million websites '
'targeted',
'personally_identifiable_information': 'Likely (credentials '
'and private keys)',
'sensitivity_of_data': 'High (credentials, private keys, PII)',
'type_of_data_compromised': ['Configuration files',
'Cloud credentials',
'Database passwords',
'Alipay RSA private keys',
'Webshell access logs']},
'date_detected': '2026-06-11',
'date_publicly_disclosed': '2026-07-09',
'description': 'A cybercrime group, tracked as WP-SHELLSTORM, inadvertently '
'exposed its operations for three weeks after leaving an '
'unsecured server online. The incident revealed a webshell '
'access brokerage scheme where attackers compromised websites '
'en masse, installed backdoors, and sold access to other '
'criminals. The exposed server contained hacking tools, '
'activity logs, target lists of 1.4 million websites, and '
'command-and-control configurations.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities due to compromise '
'and data exposure',
'data_compromised': ['Configuration files',
'Cloud credentials (AWS, Alibaba, Oracle, '
'Tencent, DigitalOcean)',
'Database passwords',
'Alipay RSA private keys',
'Website backdoor access'],
'identity_theft_risk': 'High (due to exposure of PII and '
'credentials)',
'operational_impact': 'Mass compromise of websites for resale of '
'access; potential data exfiltration and '
'further attacks by buyers',
'payment_information_risk': 'High (Alipay RSA private keys '
'exposed)',
'systems_affected': ['WordPress sites (45,000+ targeted, 17,000+ '
'compromised)',
'Joomla sites (560,000+ targeted, 77 '
'compromised)',
'Java-based corporate systems (11 systems '
'across 9 companies)']},
'initial_access_broker': {'backdoors_established': '25,195+ sites with '
'webshells (down.php, '
'VShell)',
'data_sold_on_dark_web': 'Implied (webshell access '
'brokerage)',
'entry_point': ['Exploited vulnerabilities in '
'WordPress/Joomla plugins',
'Nacos configuration server flaw'],
'high_value_targets': ['Fintech',
'E-commerce',
'Logistics',
'Gaming',
'Electronics']},
'investigation_status': 'Ongoing (exposure discovered, but full scope of '
'compromise may still be unknown)',
'lessons_learned': 'Human error (unsecured server) led to exposure of a major '
'cybercrime operation. Basic security hygiene (e.g., '
'securing servers, sanitizing logs) is critical even for '
'sophisticated threat actors.',
'motivation': ['Financial gain',
'Cybercrime brokerage',
'Corporate espionage'],
'post_incident_analysis': {'corrective_actions': ['Secure servers and '
'restrict access',
'Sanitize logs and '
'operational data',
'Monitor for webshell '
'activity and unusual '
'processes'],
'root_causes': ['Unsecured server left online for '
'22 days',
'Failure to sanitize command '
'histories and logs',
'Reliance on known vulnerabilities '
'without zero-day exploits']},
'recommendations': ['Patch known vulnerabilities promptly, especially in '
'WordPress and Joomla plugins.',
'Monitor for webshell activity and unusual processes '
'(e.g., [kworker/0:2]).',
'Secure servers and sanitize logs to avoid exposure of '
'operational details.',
'Use threat intelligence to track webshell brokerage '
'groups like WP-SHELLSTORM.'],
'references': [{'date_accessed': '2026-07-09', 'source': 'SOCRadar'},
{'date_accessed': '2026-06-22', 'source': 'Ctrl-Alt-Intel'}],
'response': {'containment_measures': 'Group deleted log entries between July '
'2–4 after exposure was discovered',
'third_party_assistance': ['SOCRadar', 'Ctrl-Alt-Intel']},
'threat_actor': 'WP-SHELLSTORM',
'title': "WP-SHELLSTORM Cybercrime Group's Exposed Server Reveals Mass "
'Webshell Operation Targeting 1.4 Million Sites',
'type': ['Webshell Attack', 'Data Breach', 'Cybercrime Brokerage'],
'vulnerability_exploited': ['CVE-2026-3844 (Breeze caching plugin)',
'CVE-2026-48907 (Joomla JCE editor)',
'CVE-2021-29441 (Nacos configuration server)',
'ThemeREX Addons (WordPress)',
'Simple File List (WordPress)',
'WP File Manager (WordPress)']}