WP-SHELLSTORM ran 22 days with its door left open
SOCRadar and Ctrl-Alt-Intel pulled 22 days of files off an exposed WP-SHELLSTORM server: 1.4M targets, 25K compromises, 5,700 live shells.
On June 11, SOCRadar found an open directory at 137.175.93[.]126 that belonged to whoever runs the mass website-compromise operation the firm has now named WP-SHELLSTORM. The independent researcher Ctrl-Alt-Intel had spotted the same server on Hunt.io’s open-directory platform around the same time and published a first writeup on June 22. The server stayed accessible for roughly twenty-two days before the operators took it offline between July 2 and 4. What they left behind is a fairly complete picture of a working mass-compromise operation — target lists, exploit tooling, activity logs, and a slice of successful shells — because someone on the crew started a Python HTTP server to move files around and never turned it off.
Analysis, not incident reporting. The compromise counts and TTPs below are sourced to SOCRadar’s July 9 writeup and Ctrl-Alt-Intel’s earlier one; the framing is commentary on what an unusually complete inside look at an operation of this shape is worth reading for.
The funnel
The most useful number in the leak is the ratio between what the crew was aiming at and what stuck. The total target list came in at about 1.4 million domains across WordPress, Joomla, and other CMS platforms; the single largest sub-list held 587,034 Joomla installations. Ctrl-Alt-Intel’s deduplicated review of the compromise evidence in the exposed files counted 25,195 confirmed takeovers. SOCRadar’s live-shell count — shells still calling home when the writeup went out — sat at about 5,700.
That is the shape of the operation from the outside. Roughly one and a half percent of the target list stuck. Less than half a percent of the target list was still working at the end. Most of the pipeline is misses. If you have ever wondered how much of the noise in your access logs converts into anything, this is a data point.
What was in the box
The tooling is almost aggressively unimpressive. The primary implant,
down.php, is a heavily obfuscated PHP webshell descended from the
Chinese-language BestShell family, a lineage common in mass-defacement work
for years. A second-stage backdoor called VShell is deployed onto some
compromised hosts through a dropper Sysdig has tracked as SNOWLIGHT since
April 2025; on those hosts VShell renames its
process to [kworker/0:2] so a busy ps output reads as normal kernel
workers. Neither of those is new tradecraft. The scanning stage runs
publicly known exploits against twenty-seven CVEs in WordPress and Joomla
plugins, all of them in versions whose maintainers have already shipped
fixes. Target lists were pulled from FOFA, the Chinese-language
internet-scanning search engine that requires a Chinese phone number to
register.
Attribution is soft on purpose. SOCRadar assesses Chinese-speaking, financially-motivated operators at medium-to-high confidence, on the strength of the FOFA account, the Chinese-language commentary in the shell code, and login names in the file listing — tance, chen-kk, chenyk — treated as loose leads rather than evidence. Sysdig’s earlier chain of SNOWLIGHT and VShell was linked to the suspected Chinese state group UNC5174, but VShell is common enough in Chinese-speaking criminal circles that shared tooling alone is not enough to move the assessment. This is a case where treating “state actor” and “criminal crew” as mutually exclusive categories is the wrong axis; the tooling ecosystem crosses that line every day.
Why the boring version is the useful one
Coverage of an open-directory find tends to lean on the drama of an
inside-look. The more useful reading here is the boredom of the contents.
The exploits are old. The webshells are old. The [kworker/0:2]
masquerade is old. The compromise ratio suggests spray-and-pray works
about the way spray-and-pray has always worked, which is fine for the
operator because their unit cost per attempted host is close to zero. The
5,700 live shells will not stay 5,700 for long — SOCRadar’s writeup will
feed detection lists and hosting-provider takedowns, and the operators
will spin up new infrastructure — but the operation itself will continue,
because the input side of the funnel has not changed.
The input side is where a defender has leverage. Every one of the twenty-seven CVEs the crew is scanning against has a patch. A Breeze caching plugin flaw (CVE-2026-3844) that produced roughly seventeen thousand successful hits from a forty-five-thousand-target list has a fix out. A Joomla JCE editor flaw (CVE-2026-48907) that CISA added to the KEV catalog produced only 77 hits out of over 560,000 attempts, because JCE users largely patched — a data point in favour of “public KEV listing changes the funnel.” The plugins that are still unpatched at meaningful scale are, mostly, the ones nobody remembers installing.
If you run a WordPress or Joomla site of any consequence, this is the week to reconcile your installed-plugin list against your patch cadence. Not because WP-SHELLSTORM is coming for you specifically — you were probably already on the 1.4-million list — but because whoever replaces WP-SHELLSTORM next month will be scanning against the same twenty-seven exploits until enough sites patch to make it worth their while to invest in a twenty-eighth.
Related coverage on 0dayNews:
- CISA’s KEV Joomla and Langflow additions — same catalogue effect, a different Joomla plugin.
- Ill Bloom is a $3.1M lesson in weak randomness, again — a different substrate, the same “known-for-decades” pattern.
- Dormant GitHub accounts help attackers blend in while mapping corporate orgs — another low-cost, high-volume input side.
Found this useful? Share it.


