An inadvertently exposed server revealed the inner workings of a widespread hacking operation, targeting over 1.4 million websites. The group, tracked under the name WP-SHELLSTORM, inadvertently left the server unprotected for three weeks, offering researchers a rare glimpse into their methods and tools.
WP-SHELLSTORM’s Modus Operandi
The WP-SHELLSTORM operation primarily focuses on exploiting vulnerabilities in outdated WordPress and Joomla plugins. By inserting hidden backdoors, known as webshells, the group gains unauthorized access to numerous sites. The most significant vulnerabilities were identified in the Breeze caching plugin and Joomla’s JCE editor.
The operation was uncovered by SOCRadar and Ctrl-Alt-Intel, with the latter discovering the exposed server on June 11, 2026. The server contained extensive data, including over 800MB of files, listing webshells, exploit scripts, and scanned results.
Exploiting Plugin Vulnerabilities
The hacking crew exploited publicly known bugs in WordPress plugins by using automated scanners. Their toolkit included 27 flaws, with a critical bug in the Breeze caching plugin (CVE-2026-3844) being the most exploited. This vulnerability allowed them to compromise over 17,000 sites from a list of 45,000 targets.
Despite the large number of targeted domains, the actual number of compromised sites was much lower. SOCRadar identified over 5,700 active webshells, while Ctrl-Alt-Intel confirmed 25,195 compromised sites.
Analysis of the Exposed Tools and Methods
The server leak also revealed the use of a backdoor file, down.php, and a toolchain involving SNOWLIGHT and VShell. These tools, while sophisticated, were left exposed due to the crew’s oversight. The exposure also hinted at a previous campaign targeting corporate Java systems, executed in May 2026.
Investigators believe the group is likely Chinese or Chinese-speaking, based on the Simplified Chinese in the code and reliance on the Chinese search engine FOFA. However, the exact identity of the operators remains uncertain.
In response to the exposure, security experts emphasize the importance of patching vulnerable systems. Key recommendations include updating the Breeze plugin to version 2.4.5 and addressing the Joomla JCE vulnerability (CVE-2026-48907). Additional security measures include scanning for known webshells and securing server configurations.
Protecting Against Future Threats
WP-SHELLSTORM’s activities highlight the risks posed by publicly known vulnerabilities. Despite the lack of zero-day exploits, the group managed to scale their operation due to the sheer volume of unpatched systems. The cybersecurity community is urged to remain vigilant and proactive in securing websites against such threats.
The incident serves as a stark reminder of the importance of maintaining up-to-date cybersecurity measures. As the investigation continues, updates from SOCRadar are expected to provide further insights into the operation’s impact and preventative strategies.
