2026-07-10 · view entry permalink →
WP-SHELLSTORM: an exposed webshell-brokerage toolkit reveals 27 weaponized CVEs fired at 1.4M WordPress/Joomla sites plus a parallel Nacos/Spring Boot credential-theft track
SOCRadar's Threat Intelligence Team spotted an unauthenticated open directory — a Python SimpleHTTPServer left running for 22 days on a US-based VPS — that exposed the complete toolkit, target lists, bash history and C2 configuration of a webshell access-brokerage operation it names WP-SHELLSTORM (SOCRadar, 2026-07-09). The operation weaponized 27 CVEs (14 critical, 9 high) against roughly 1.4 million WordPress and Joomla domains sourced via FOFA, confirming more than 5,700 live webshells; the single highest-yield exploit was a Breeze Cache Cleaner flaw (CVE-2026-3844) at 45,000+ targets and 17,000+ confirmed shells, followed by a ThemeREX Addons vulnerability (CVE-2026-1969), while a Joomla JCE flaw fired at 560,000+ targets yielded only 77 shells — a reminder that raw target count and success rate diverge with how patched an ecosystem is. The Hacker News independently cites a second team, Ctrl-Alt-Intel, whose deduplicated count reached 25,195 compromised sites; SOCRadar reads the crew as financially motivated rather than state-directed (The Hacker News, 2026-07-10). A parallel, earlier track abused the Apache Nacos authentication bypass (CVE-2021-29441 — a request with a "Nacos-Server" User-Agent header skips auth entirely) to exfiltrate hundreds of Nacos configuration files, yielding cloud credentials, database connection strings and API keys; a separate technique scanned Spring Boot for exposed heap dumps and used the open-source JDumpSpider to pull credentials from those Java memory dumps. Because Nacos config routinely holds XXL-Job admin tokens, one Nacos bypass chains to RCE across connected executor nodes (SOCRadar, 2026-07-09).
The webshell payloads include a multi-layer-obfuscated BestShell-derived down.php, a Godzilla-framework variant, and a shell that returns HTTP 404 to normal visitors and blocks crawler user-agents; remote access uses a WebSocket-delivered dropper (SNOWLIGHT) fetching an architecture-matched VShell implant that renames its own process to mimic a Linux kernel worker thread (SOCRadar, 2026-07-09).
a Python SimpleHTTPServer instance, left open for 22 days, exposed the full toolkit, logs, and target lists
The most productive single exploit was a Breeze Cache Cleaner flaw (45,000+ targets, 17,000+ confirmed shells), followed by a ThemeREX Addons vulnerability (3,378 shells from 46,600 targets).
Ctrl-Alt-Intel's deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.