A Cybercrime Error Unveils Large-Scale Website Compromise Tactics
A simple operational error made by a cybercrime group has given researchers insight into how websites are compromised on a large scale. According to a study by SOCRadar, an exposed server on the Internet belonging to a threat group tracked under the name WP-SHELLSTORM remained accessible to the public for approximately three weeks.
“WP-SHELLSTORM is industrialized cybercrime made visible because someone left a SimpleHTTPServer Python directory open without authentication for 22 days,” said Jacob Krell, senior director of secure AI solutions and cybersecurity at SuzuLabs, in an email to eSecurityPlanet. He added: “Many organizations still assess their external exposure only when a major entry on common vulnerabilities and exposures is published or during periodic vulnerability assessments.”
Key Takeaways from the Hack
- An exposed WP-SHELLSTORM server has revealed how attackers automated large-scale WordPress website compromises using known vulnerabilities.
- The campaign primarily targeted outdated WordPress plugins and Joomla components rather than relying on zero-day exploits.
- More than 1.4 million websites were on the attackers’ target lists, but researchers confirmed that far fewer were compromised.
- The exposed infrastructure also revealed an earlier campaign that stole credentials from the company’s cloud before moving on to massive backdooring of websites.
How WP-SHELLSTORM Compromised WordPress Websites
WP-SHELLSTORM functioned as a Webshell access broker, compromising websites in bulk before reselling access. Their server contained approximately 800 MB of data, including exploit tools, webshells, target lists, activity logs, and command histories. The exposed files revealed how the group compromised vulnerable websites, providing new insight into a large-scale WordPress webshell operation. Rather than using zero-day vulnerabilities, the group automated attacks against known flaws in outdated WordPress plugins, exposing weaknesses in WordPress site security.
Known WordPress Vulnerabilities Fueled Attacks
The researchers found that the toolkit allowed 27 known vulnerabilities to be exploited, although a small number accounted for the bulk of the activity. The most successful attack targeted the Breeze WordPress caching plugin (CVE-2026-3844), which the attackers launched against more than 45,000 websites.
According to the group’s own logs, more than 17,000 webshells were deployed, making this one of the largest documented WordPress webshell attacks seen this year.
Breeze and Joomla Vulnerabilities Were Key Targets
However, researchers noted that the vulnerability only affects Breeze installations in which the default “Host files locally – Gravatars” option is enabled, thus limiting the number of truly vulnerable websites. The attackers also targeted CVE-2026-48907, a vulnerability in Joomla JCE Editor.
Large Target Lists Did Not Equate to Large-Scale Compromise
The exposed data referenced more than 1.4 million websites, but researchers warned that this number represented scanning targets rather than confirmed victims. One file alone contained over 587,000 Joomla domains selected for analysis. After removing duplicates and validating successful compromises, Ctrl-Alt-Intel identified approximately 25,195 compromised websites, while SOCRadar observed more than 5,700 active webshells during its analysis.
Webshells Provided Persistent Access
Once the attackers successfully exploited a vulnerable website in the WordPress webshell attack, they installed an obfuscated webshell called down.php, which researchers believe was derived from the open-source Chinese webshell BestShell. The backdoor allowed attackers to execute remote commands, browse files, steal credentials, establish reverse shells, and move laterally within compromised environments.
For added persistence, operators deployed the SNOWLIGHT dropper to install VShell, a remote access tool that disguises itself as a legitimate Linux kernel worker process using names such as [kworker/0:2]. Although VShell appeared in campaigns linked to suspected Chinese state actors, researchers said it was also widely used by Chinese-speaking cybercriminals. As a result, its presence alone does not indicate nation-state involvement.
Researchers Uncovered a Previous Credential Theft Campaign
The exposed server also revealed evidence of an earlier campaign conducted before the launch of the large-scale WordPress webshell attack. According to SOCRadar, the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and steal configuration data from organizations. Researchers also recovered cloud credentials for AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, as well as database passwords and cryptographic keys. SOCRadar believes the footage suggests the group first collected company credentials before embarking on a higher-volume website backdoor campaign.
Operational Errors Revealed the Attackers
Despite using a sophisticated toolkit, the threat actors made several operational security errors. The group left an unauthenticated Python web server publicly available for 22 days, exposing internal command histories, FOFA search configurations, exploit scripts, and infrastructure details. The researchers also observed that the operators attempted to remove portions of the logs after making the exposure, but that this effort came too late. Based on the simplified Chinese found in the files, the use of FOFA, and the malware used, researchers assess with moderate to high confidence that the operators are Chinese or Chinese-speaking. However, SOCRadar believes that the campaign was financially motivated rather than linked to a government-sponsored operation.
How Organizations Can Reduce Risk
Organizations responsible for the security of WordPress websites or Joomla environments should prioritize installing the latest security updates. To reduce the risk of similar attacks:
- Patch WordPress, Joomla and all plugins prioritizing vulnerabilities known to be actively exploited based on research.
- Remove or deactivate unused plugins, themes and extensions to reduce your overall attack surface.
- Continuously monitor websites for unauthorized file changes, suspicious webshells and other indicators of a WordPress webshell attack.
- Looking for Indicators of Compromise, including suspicious files such as .bd.php, .wp-log.php and .brq-*.php, as well as fake [kworker] processes with executable paths or network connections.
- Rotating credentials and API keys if systems are vulnerable, such as exposed Nacos servers, may have been compromised.
- Test incident response plans and use simulations with scenarios around website compromise.
Collectively, these measures can help organizations reduce their overall exposure and build resilience.
Editor’s Note: This article was originally published on our sister publication, eSecurityPlanet.
For further reading, visit the original article Here.
“`

