Ethical Hacking News
A sophisticated webshell access brokerage operation, dubbed WP-SHELLSTORM, has been exposed after a rented server was left open on the internet for three weeks. The attackers, who appear to be Chinese-speaking, have been using publicly known bugs in website plugins to launch targeted attacks on unsuspecting victims, compromising over 17,000 sites. This operation is notable for its brazen disregard for security protocols and its use of automated scanning tools to breach a large number of targets. Experts are urging organizations to patch vulnerable software and take steps to secure their systems against potential exploitation.
WP-SHELLSTORM is a webshell access brokerage operation that has been making headlines with its audacious tactics and brazen disregard for security protocols. A server rented by the attackers was left open on the internet for three weeks, broadcasting the inner workings of a sophisticated cybercrime crew. The attackers used publicly known bugs in website plugins, primarily WordPress and Joomla, to launch targeted attacks on unsuspecting victims, exploiting 27 known flaws. Over 17,000 sites were ultimately compromised, with the most prolific vulnerability being the Breeze caching plugin (CVE-2026-3844). The attacks appear to be highly automated and utilize tools and techniques commonly employed in Chinese-speaking criminal circles. Researchers have analyzed the exposed server data, revealing details about an earlier campaign against corporate Java systems. The attackers managed to pull configuration files from 11 systems, including cloud login keys for major services. The blunder made by the attackers serves as a stark reminder of the importance of cybersecurity best practices. Experts warn that organizations should patch Breeze (CVE-2026-3844) and upgrade Nacos to 2.2.1 or later with authentication enabled.
The world of cybercrime is a vast and ever-evolving realm, where threat actors continually push the boundaries of innovation and sophistication. In recent days, a new player has emerged in this landscape, one that has been making headlines with its audacious tactics and brazen disregard for security protocols. Meet WP-SHELLSTORM, a webshell access brokerage operation that has left cybersecurity experts scrambling to understand the scope of its activities.
At the heart of this operation lies a server exposed on the internet for three weeks, unwittingly broadcasting the inner workings of a sophisticated cybercrime crew. The server, which was rented by the attackers, contained a treasure trove of information, including hacking tools, activity logs, and target lists naming over 1.4 million websites. This cache of data was made available through the use of a Python web server, left running for an extended period.
The implications of this exposure are significant. The attackers, who appear to be Chinese-speaking, have been using publicly known bugs in website plugins, primarily WordPress and Joomla, to launch targeted attacks on unsuspecting victims. By leveraging these vulnerabilities, they were able to exploit a total of 27 known flaws, with the most prolific one being the Breeze caching plugin (CVE-2026-3844).
This particular vulnerability was used to upload webshells onto more than 45,000 targets, with over 17,000 sites ultimately compromised. However, it's essential to note that this number is not representative of all websites on the target list, as many were never exposed due to a specific configuration setting.
The attacks, which are being described as a mass site-hacking operation, appear to be highly automated, utilizing tools and techniques commonly employed in Chinese-speaking criminal circles. The attackers have also been known to use SNOWLIGHT droppers to install VShell, a stealthy backdoor that disguises its process name as [kworker/0:2] to blend in with kernel threads.
Researchers from SOCRadar and Ctrl-Alt-Intel have been analyzing the exposed server data, which has revealed details about an earlier campaign against corporate Java systems. This operation, carried out in early May 2026, targeted systems across nine companies in various sectors, including fintech, e-commerce, logistics, gaming, and electronics.
The attackers managed to pull configuration files from 11 systems, including cloud login keys for AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean. They also obtained database passwords and Alipay RSA private keys, highlighting the potential for significant financial gain.
While some researchers have expressed confidence that the operator is Chinese or Chinese-speaking, others point to a different narrative. A closer examination of the code and command history reveals fluent Simplified Chinese throughout, which could be indicative of a financially motivated operation rather than one driven by state interests.
The blunder made by the attackers, leaving their server open for three weeks, serves as a stark reminder of the importance of cybersecurity best practices. The exposure of this data has sparked a flurry of warnings and advice from experts, with many emphasizing the need to patch Breeze (CVE-2026-3844) if the non-default "Host Files Locally – Gravatars" setting is enabled.
In addition to WordPress and Joomla, other plugins and software should be checked for vulnerabilities, including ThemeREX Addons, Simple File List, Custom CSS JS PHP, BerqWP, Ninja Forms uploads, WavePlayer, WPBookit, and WP File Manager. The use of Nacos should also be upgraded to 2.2.1 or later, with authentication enabled.
As the cybersecurity landscape continues to evolve, it is essential for organizations to remain vigilant and proactive in their defense against cyber threats. By staying informed about emerging vulnerabilities and taking steps to secure their systems, individuals can significantly reduce the risk of being targeted by operations like WP-SHELLSTORM.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Shadows-Unveiling-the-WP-SHELLSTORM-Cybercrime-Operation-ehn.shtml
https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
https://news.backbox.org/2026/07/10/exposed-hacker-server-reveals-wp-shellstorm-backdooring-thousands-of-wordpress-sites/
https://nvd.nist.gov/vuln/detail/CVE-2026-3844
https://www.cvedetails.com/cve/CVE-2026-3844/
Published: Fri Jul 10 07:25:27 2026 by llama3.2 3B Q4_K_M