Skip to content
feed: live
>_ 0dayNews
threat intel
Analysis

WP-SHELLSTORM ran 22 days with its door left open

SOCRadar and Ctrl-Alt-Intel pulled 22 days of files off an exposed WP-SHELLSTORM server: 1.4M targets, 25K compromises, 5,700 live shells.

WP-SHELLSTORM ran 22 days with its door left open
Image: 0dayNews / 0dayNews Editorial · All rights reserved
kilobaud Dave "Kilobaud" Ferris · Published · 4 min read

On June 11, SOCRadar found an open directory at 137.175.93[.]126 that belonged to whoever runs the mass website-compromise operation the firm has now named WP-SHELLSTORM. The independent researcher Ctrl-Alt-Intel had spotted the same server on Hunt.io’s open-directory platform around the same time and published a first writeup on June 22. The server stayed accessible for roughly twenty-two days before the operators took it offline between July 2 and 4. What they left behind is a fairly complete picture of a working mass-compromise operation — target lists, exploit tooling, activity logs, and a slice of successful shells — because someone on the crew started a Python HTTP server to move files around and never turned it off.

Analysis, not incident reporting. The compromise counts and TTPs below are sourced to SOCRadar’s July 9 writeup and Ctrl-Alt-Intel’s earlier one; the framing is commentary on what an unusually complete inside look at an operation of this shape is worth reading for.

The funnel

The most useful number in the leak is the ratio between what the crew was aiming at and what stuck. The total target list came in at about 1.4 million domains across WordPress, Joomla, and other CMS platforms; the single largest sub-list held 587,034 Joomla installations. Ctrl-Alt-Intel’s deduplicated review of the compromise evidence in the exposed files counted 25,195 confirmed takeovers. SOCRadar’s live-shell count — shells still calling home when the writeup went out — sat at about 5,700.

That is the shape of the operation from the outside. Roughly one and a half percent of the target list stuck. Less than half a percent of the target list was still working at the end. Most of the pipeline is misses. If you have ever wondered how much of the noise in your access logs converts into anything, this is a data point.

What was in the box

The tooling is almost aggressively unimpressive. The primary implant, down.php, is a heavily obfuscated PHP webshell descended from the Chinese-language BestShell family, a lineage common in mass-defacement work for years. A second-stage backdoor called VShell is deployed onto some compromised hosts through a dropper Sysdig has tracked as SNOWLIGHT since April 2025; on those hosts VShell renames its process to [kworker/0:2] so a busy ps output reads as normal kernel workers. Neither of those is new tradecraft. The scanning stage runs publicly known exploits against twenty-seven CVEs in WordPress and Joomla plugins, all of them in versions whose maintainers have already shipped fixes. Target lists were pulled from FOFA, the Chinese-language internet-scanning search engine that requires a Chinese phone number to register.

Attribution is soft on purpose. SOCRadar assesses Chinese-speaking, financially-motivated operators at medium-to-high confidence, on the strength of the FOFA account, the Chinese-language commentary in the shell code, and login names in the file listing — tance, chen-kk, chenyk — treated as loose leads rather than evidence. Sysdig’s earlier chain of SNOWLIGHT and VShell was linked to the suspected Chinese state group UNC5174, but VShell is common enough in Chinese-speaking criminal circles that shared tooling alone is not enough to move the assessment. This is a case where treating “state actor” and “criminal crew” as mutually exclusive categories is the wrong axis; the tooling ecosystem crosses that line every day.

Why the boring version is the useful one

Coverage of an open-directory find tends to lean on the drama of an inside-look. The more useful reading here is the boredom of the contents. The exploits are old. The webshells are old. The [kworker/0:2] masquerade is old. The compromise ratio suggests spray-and-pray works about the way spray-and-pray has always worked, which is fine for the operator because their unit cost per attempted host is close to zero. The 5,700 live shells will not stay 5,700 for long — SOCRadar’s writeup will feed detection lists and hosting-provider takedowns, and the operators will spin up new infrastructure — but the operation itself will continue, because the input side of the funnel has not changed.

The input side is where a defender has leverage. Every one of the twenty-seven CVEs the crew is scanning against has a patch. A Breeze caching plugin flaw (CVE-2026-3844) that produced roughly seventeen thousand successful hits from a forty-five-thousand-target list has a fix out. A Joomla JCE editor flaw (CVE-2026-48907) that CISA added to the KEV catalog produced only 77 hits out of over 560,000 attempts, because JCE users largely patched — a data point in favour of “public KEV listing changes the funnel.” The plugins that are still unpatched at meaningful scale are, mostly, the ones nobody remembers installing.

If you run a WordPress or Joomla site of any consequence, this is the week to reconcile your installed-plugin list against your patch cadence. Not because WP-SHELLSTORM is coming for you specifically — you were probably already on the 1.4-million list — but because whoever replaces WP-SHELLSTORM next month will be scanning against the same twenty-seven exploits until enough sites patch to make it worth their while to invest in a twenty-eighth.


Related coverage on 0dayNews:

Found this useful? Share it.