Full Report
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as
Analysis Summary
# Incident Report: WP-SHELLSTORM Mass Website Compromise
## Executive Summary
The WP-SHELLSTORM operation was a large-scale cybercrime campaign focused on backdooring WordPress and Joomla sites for resale as access brokerage. The operation was exposed after attackers left a Python web server unsecured for 22 days, allowing researchers to discover a repository of 800MB of data, including exploit tools and target lists. While 1.4 million sites were identified as targets, validated compromises are estimated between 5,700 and 25,000 domains.
## Incident Details
- **Discovery Date:** June 11, 2026 (SOCRadar); June 22, 2026 (Ctrl-Alt-Intel)
- **Incident Date:** Active widespread activity May – July 2026
- **Affected Organization:** 1.4 million targeted domains (various owners)
- **Sector:** Cross-sector (primarily WordPress/Joomla users)
- **Geography:** Global targets; command server hosted in the US
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026 (Widespread automated scanning began)
- **Vector:** Exploitation of known vulnerabilities in CMS plugins (N-day flaws).
- **Details:** The crew used automated scanners and lists from FOFA to identify vulnerable plugins. The primary entry point was CVE-2026-3844 in the Breeze caching plugin.
### Lateral Movement
- **Details:** Once the initial webshell was uploaded, the crew utilized the `SNOWLIGHT` dropper to install `VShell`. This allowed for kernel-level process masquerading, network scanning, and potential movement into the internal host environment.
### Data Exfiltration/Impact
- **Details:** Thousands of sites were backdoored. The primary impact was the loss of server integrity and the exfiltration of 613 configuration files from corporate Java systems during an earlier, more targeted phase of the campaign.
### Detection & Response
- **Discovery:** An open directory was found on a US-based server (137.175.93[.]126) due to an operator error (leaving a Python web server running).
- **Response:** Security researchers (SOCRadar and Ctrl-Alt-Intel) analyzed the server contents and published findings to alert the cybersecurity community and affected webmasters.
## Attack Methodology
- **Initial Access:** Exploitation of public vulnerabilities (e.g., Breeze plugin, Joomla JCE editor).
- **Persistence:** Implementation of `down.php` (obfuscated BestShell derivative) and `VShell` backdoors.
- **Defense Evasion:** Use of four-layer obfuscation for PHP shells and process renaming (masquerading as `[kworker/0:2]`).
- **Discovery:** Mass reconnaissance of 1.4 million domains via FOFA search engine queries.
- **Lateral Movement:** Built-in network scanning capabilities within the `down.php` shell.
- **Collection:** Gathering configuration files and database credentials.
- **Impact:** Backdooring sites for resale on access brokerage markets.
## Impact Assessment
- **Data Breach:** Exposure of 800MB of internal operator data and over 600 corporate configuration files.
- **Operational:** Potential for third-party scripts to be injected into thousands of legitimate websites.
- **Reputational:** High impact for organizations found on verified compromise lists, indicating poor patch management.
## Indicators of Compromise
- **Network:** 137.175.93[.]126 (Attacker-controlled file server)
- **File:** `down.php` (Obfuscated webshell), `SNOWLIGHT` dropper, `VShell` backdoor.
- **Behavioral:** Unauthorized Python web servers running on unusual ports; kernel threads named `[kworker/0:2]` appearing suspicious in process lists.
## Response Actions
- **Containment:** Researchers monitored the open directory until it was secured.
- **Eradication:** Affected site owners were encouraged to scan for and remove `down.php` and associated web-root backdoors.
- **Recovery:** Restoration of CMS environments from clean backups and mandatory patching of plugins.
## Lessons Learned
- **Operational Security (OPSEC) Failures:** Even sophisticated actors can be compromised by simple configuration errors (e.g., leaving a transfer server open).
- **Patch Timing:** The campaign successfully targeted "N-day" vulnerabilities, proving that attackers move quickly once a bug is made public.
- **Volume vs. Success:** A massive target list (1.4M) does not equate to a 1:1 success rate, as secondary configuration requirements (like those in the Breeze plugin) can mitigate mass exploitation.
## Recommendations
- **Plugin Management:** Immediately update or disable the Breeze caching plugin and Joomla JCE editor.
- **Hardening:** Disable "Host Files Locally" settings in plugins unless strictly necessary.
- **Audit:** Conduct regular scans of web directories for unauthorized `.php` files or obfuscated code.
- **Egress Monitoring:** Monitor for reverse shells or unusual outbound connections from web servers to unknown IP addresses.