{"id":241997,"date":"2026-07-10T07:30:00","date_gmt":"2026-07-10T11:30:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/10\/exposed-hacker-server-reveals-wp-shellstorm-backdooring-thousands-of-wordpress-sites\/"},"modified":"2026-07-10T09:05:08","modified_gmt":"2026-07-10T13:05:08","slug":"exposed-hacker-server-reveals-wp-shellstorm-backdooring-thousands-of-wordpress-sites","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/10\/exposed-hacker-server-reveals-wp-shellstorm-backdooring-thousands-of-wordpress-sites\/","title":{"rendered":"Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/exposed-hacker-server-reveals-wp.html\">Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/07\/exposed-hacker-server-reveals-wp.html\">https:\/\/thehackernews.com\/2026\/07\/exposed-hacker-server-reveals-wp.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-10 07:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nA cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation&#8217;s inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites.<\/p>\n<p>Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside.<\/p>\n<p>The operation, now tracked as WP-SHELLSTORM, is what\u00a0SOCRadar\u00a0calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a &#8220;webshell&#8221;) on each, and packages that access for resale.<\/p>\n<p>The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla&#8217;s JCE editor; skip to the checklist below if that&#8217;s\u00a0you.<\/p>\n<p>A forgotten server<\/p>\n<p>Two teams dug into the same exposed folder. SOCRadar&#8217;s threat intelligence team spotted it on June 11, 2026, on a US-based rented server at\u00a0137.175.93[.]126\u00a0with no password on it at all. Inside was roughly 800MB across 434 files: webshells, exploit scripts, scan results, the operator&#8217;s typed command history, and command-and-control settings.<\/p>\n<p>Ctrl-Alt-Intel\u00a0had analyzed the same directory too, having found it on Hunt.io&#8217;s open-directory platform, and published on June 22, weeks before SOCRadar&#8217;s own July 9 writeup. The exposure came down to a basic slip: the operator started a simple Python web server to move files around and left it running for 22 days.<\/p>\n<p>The crew took publicly known bugs in website plugins, most of them in WordPress, and built automated scanners to fire those exploits at massive target lists pulled from FOFA, a Chinese search engine for internet-connected systems, similar to Shodan.<\/p>\n<p>Where a site ran a vulnerable version, the exploit could upload a webshell: a small script that lets the attacker run commands on the server from anywhere, read files, steal passwords, and move deeper into the network.<\/p>\n<p>The toolkit covered 27 known flaws, though a handful did most of the work. The biggest producer was a bug in the Breeze caching plugin (CVE-2026-3844), which the crew fired at more than 45,000 targets and, by its own count, backdoored over 17,000 of them.<\/p>\n<p>That one comes with a catch: it only works when a non-default &#8220;Host Files Locally \u2013 Gravatars&#8221; setting is switched on, so most Breeze installs were never exposed.<\/p>\n<p>The numbers, in plain terms<\/p>\n<p>The headline figure needs a caveat. The 1.4 million count is how many domains were on the target lists, not how many were broken into, and those lists spanned WordPress, Joomla, and other platforms. The single largest file was a list of 587,034 Joomla targets.<\/p>\n<p>The number actually compromised was far smaller, and the two research teams measured it differently: Ctrl-Alt-Intel&#8217;s deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.<\/p>\n<p>One flaw shows the gap plainly: a Joomla bug was fired at more than 560,000 targets but landed on only 77 of them.<\/p>\n<p>Being on someone&#8217;s scan list is not the same as being hacked. Keep that in mind whenever a report leads with a frightening target number.<\/p>\n<p>The tooling and an earlier campaign<\/p>\n<p>The main backdoor, a file named\u00a0down.php, was heavily obfuscated, four layers deep, and appears to be derived from an open-source Chinese webshell called BestShell. Once running, it could manage files, run commands, open reverse shells, scan the network, and check which security software the host was running.<\/p>\n<p>For its own remote access, the crew used a SNOWLIGHT dropper to install VShell, a stealthy backdoor that disguises its process name as\u00a0[kworker\/0:2]\u00a0to blend in with the kernel threads in a process list.<\/p>\n<p>Those two tools have a history: in April 2025,\u00a0Sysdig\u00a0linked this SNOWLIGHT-to-VShell chain to the suspected Chinese state group UNC5174, activity\u00a0THN covered at the time. VShell itself, though, is a common tool in Chinese-speaking criminal circles, so its presence alone doesn&#8217;t point to a state actor.<\/p>\n<p>The server also held traces of an earlier, very different job. SOCRadar found that before the noisy WordPress spree, the same crew ran a quieter campaign in early May 2026 against corporate Java systems. It pulled 613 configuration files from 11 systems across nine companies in fintech, e-commerce, logistics, gaming, and electronics.<\/p>\n<p>The haul included cloud login keys for AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean, database passwords, and Alipay RSA private keys. It leaned on an old, well-known bug in Nacos, a configuration server (CVE-2021-29441), that lets an attacker skip the login by faking a single web header.<\/p>\n<p>SOCRadar reads the timing as a sequence: grab high-value corporate credentials first, then pivot weeks later to the higher-volume backdoor work, a funding round before scaling\u00a0up.<\/p>\n<p>Sloppy tradecraft<\/p>\n<p>Both teams assess with medium-to-high confidence that the operator is Chinese or Chinese-speaking. They point to the fluent Simplified Chinese throughout the code and command history, the reliance on FOFA (which the researchers note needs a Chinese phone number to register), and the Godzilla and VShell tooling favored in Chinese-speaking forums.<\/p>\n<p>SOCRadar goes a step further, reading the crew as financially motivated rather than state-directed. Names in the files (tance,\u00a0chen-kk,\u00a0chenyk) are treated as loose leads, not proof. One loose end stands out: a single IP address in Taiwan made more than 42,000 requests downloading the crew&#8217;s own tools. It could be a second operator, a customer, or another researcher. The logs cannot settle\u00a0it.<\/p>\n<p>For a group running a genuinely capable toolchain, the crew was careless. It left the server open, left a FOFA config file that FOFA can trace through its law-enforcement channel, and left an unedited command history that laid the whole thing out. When it finally noticed it had been spotted, sometime between July 2 and July 4, it deleted a batch of log lines. Three weeks too late.<\/p>\n<p>The blunder is a familiar one. In March 2026, the same research shop caught Russia&#8217;s Fancy Bear (APT28) the same way: a forgotten open directory spilled the group&#8217;s phishing tools and logs, in a campaign Hunt.io called\u00a0Operation Roundish.<\/p>\n<p>What to do\u00a0now<\/p>\n<p>If you run any of the targeted software, check it today. These are not obscure bugs: two of them are under active exploitation elsewhere.<\/p>\n<p>Wordfence\u00a0tracked tens of thousands of blocked attacks\u00a0against the Everest Forms Pro flaw (CVE-2026-3300) this spring, and the Joomla JCE bug (CVE-2026-48907) is a maximum-severity flaw\u00a0CISA has added to its Known Exploited Vulnerabilities list.<\/p>\n<p>  WordPress and Joomla, first:\u00a0patch Breeze (CVE-2026-3844, fixed in 2.4.5) if the non-default &#8220;Host Files Locally \u2013 Gravatars&#8221; setting is on; it produced the most backdoors here. Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA&#8217;s actively-exploited list, even though it barely landed in this campaign.<br \/>\n  WordPress and Joomla, also check:\u00a0ThemeREX Addons (CVE-2026-1969), Simple File List (CVE-2020-36847), Custom CSS JS PHP (CVE-2026-6433), BerqWP (CVE-2025-7443), Ninja Forms uploads (CVE-2026-0740), WavePlayer (CVE-2025-12057), WPBookit (CVE-2025-7852), and WP File Manager (CVE-2020-25213). Both reports list Simple File List under\u00a0CVE-2025-34085, a now-rejected duplicate; the valid ID is\u00a0CVE-2020-36847.<br \/>\n  Nacos:\u00a0upgrade to 2.2.1 or later and turn authentication on (nacos.core.auth.enabled=true). If your instance was ever exposed, rotate every credential that lived in it, not just the obvious ones.<br \/>\n  XXL-Job and Spring Boot:\u00a0close unauthenticated executor endpoints and disable\u00a0\/actuator\/heapdump\u00a0in production.<br \/>\n  Hunt for the backdoors:\u00a0search for the crew&#8217;s webshell filename patterns, such as\u00a0.bd.php,\u00a0.wp-log.php, and\u00a0.brq-*.php. Then check any process named\u00a0[kworker\/X:Y]. A real kernel thread runs no program of its own, so its\u00a0\/proc\/\/exe\u00a0points to nothing. It also has no command line and no network sockets. A\u00a0[kworker]\u00a0that shows any of these is an impostor. Block the known infrastructure:\u00a0137.175.93[.]126,\u00a043.108.17[.]80, and the domain\u00a0xs.xxooonline[.]eu[.]cc.<\/p>\n<p>What makes WP-SHELLSTORM worth attention is not how advanced it is, but how ordinary. Public exploits, automated scanning, and a target list a million lines long were enough to compromise sites at scale, no zero-day required. The details are public only because the crew forgot to close its own server.<\/p>\n<p>The Hacker News has reached out to SOCRadar for further details on their findings and will update this story with any response.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites https:\/\/thehackernews.com\/2026\/07\/exposed-hacker-server-reveals-wp.html Publish Date: 2026-07-10 07:30:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":241998,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgruetcUTsay2-ledgCIdCPKK_bPRiTzuXzYeUiLR3xuazZgHTmxO4Gz6PyyuwdFUVoHHOCbq5PksEMW18dSsdzCJddBMr8vQ3TQO3PIqXExF_17RGVfKRD8cPltNjh6eV1fgXM-pYYlwZnWaZcf7oo50CahUBY5AWt8-IS1K7KxhlL9GFLDcAk1ruwMSI\/s1600\/hacker-server.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,35,25],"class_list":["post-241997","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-hacker","tag-phishing"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241997"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=241997"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241997\/revisions"}],"predecessor-version":[{"id":241999,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241997\/revisions\/241999"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/241998"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=241997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=241997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=241997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}