ctipilot.ch

WP-SHELLSTORM

actor · actor:wp-shellstorm

SOCRadar designation for a financially-motivated, assessed Chinese-speaking webshell access-brokerage crew (WABO) whose own unauthenticated staging server, exposed for 22 days, revealed automated exploitation of 27 weaponized CVEs against ~1.4M WordPress/Joomla domains (5,700+ live webshells; a Breeze Cache Cleaner flaw CVE-2026-3844 the highest-yield) plus a parallel Apache Nacos/XXL-Job/Spring Boot cloud-credential-theft track using CVE-2021-29441 and JDumpSpider; deploys BestShell-derived and Godzilla webshells and a VShell implant that masquerades as a Linux kernel worker thread (SOCRadar, 2026-07-09; corroborated by Ctrl-Alt-Intel via The Hacker News, 2026-07-10).

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
5
pinned v19.1 · see below

Hunting pivots

Affected products
Apache NacosJoomlaSpring BootWordPressXXL-Job

ATT&CK techniques

5 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-10/wp-shellstorm-webshell-brokerage-exposed-toolkit · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-10/wp-shellstorm-webshell-brokerage-exposed-toolkit · ATT&CK page ↗

Stealth TA0005

T1036.004Masquerading: Masquerade Task or Service×1

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Evidence: 2026-07-10/wp-shellstorm-webshell-brokerage-exposed-toolkit · ATT&CK page ↗

Credential Access TA0006

T1552.001Unsecured Credentials: Credentials In Files×1

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Evidence: 2026-07-10/wp-shellstorm-webshell-brokerage-exposed-toolkit · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-10/wp-shellstorm-webshell-brokerage-exposed-toolkit · ATT&CK page ↗

Story timeline

  1. 2026-07-10WP-SHELLSTORM: an exposed webshell-brokerage toolkit reveals 27 weaponized CVEs fired at 1.4M WordPress/Joomla sites plus a parallel Nacos/Spring Boot credential-theft track
    active-threatsSOCRadar finds a webshell-brokerage crew's own open staging server — 5,700+ live shells, 27 weaponized CVEs, and a parallel Nacos/Spring Boot credential heist

Where this entity is cited

  • active-threats1

Source distribution

  • socradar.io1 (50%)
  • thehackernews.com1 (50%)

Entries about WP-SHELLSTORM (1)

2026-07-10 · view entry permalink →

NOTABLEexploitedNATOC2

WP-SHELLSTORM: an exposed webshell-brokerage toolkit reveals 27 weaponized CVEs fired at 1.4M WordPress/Joomla sites plus a parallel Nacos/Spring Boot credential-theft track

SOCRadar's Threat Intelligence Team spotted an unauthenticated open directory — a Python SimpleHTTPServer left running for 22 days on a US-based VPS — that exposed the complete toolkit, target lists, bash history and C2 configuration of a webshell access-brokerage operation it names WP-SHELLSTORM (SOCRadar, 2026-07-09). The operation weaponized 27 CVEs (14 critical, 9 high) against roughly 1.4 million WordPress and Joomla domains sourced via FOFA, confirming more than 5,700 live webshells; the single highest-yield exploit was a Breeze Cache Cleaner flaw (CVE-2026-3844) at 45,000+ targets and 17,000+ confirmed shells, followed by a ThemeREX Addons vulnerability (CVE-2026-1969), while a Joomla JCE flaw fired at 560,000+ targets yielded only 77 shells — a reminder that raw target count and success rate diverge with how patched an ecosystem is. The Hacker News independently cites a second team, Ctrl-Alt-Intel, whose deduplicated count reached 25,195 compromised sites; SOCRadar reads the crew as financially motivated rather than state-directed (The Hacker News, 2026-07-10). A parallel, earlier track abused the Apache Nacos authentication bypass (CVE-2021-29441 — a request with a "Nacos-Server" User-Agent header skips auth entirely) to exfiltrate hundreds of Nacos configuration files, yielding cloud credentials, database connection strings and API keys; a separate technique scanned Spring Boot for exposed heap dumps and used the open-source JDumpSpider to pull credentials from those Java memory dumps. Because Nacos config routinely holds XXL-Job admin tokens, one Nacos bypass chains to RCE across connected executor nodes (SOCRadar, 2026-07-09).

The webshell payloads include a multi-layer-obfuscated BestShell-derived down.php, a Godzilla-framework variant, and a shell that returns HTTP 404 to normal visitors and blocks crawler user-agents; remote access uses a WebSocket-delivered dropper (SNOWLIGHT) fetching an architecture-matched VShell implant that renames its own process to mimic a Linux kernel worker thread (SOCRadar, 2026-07-09).

a Python SimpleHTTPServer instance, left open for 22 days, exposed the full toolkit, logs, and target lists

The most productive single exploit was a Breeze Cache Cleaner flaw (45,000+ targets, 17,000+ confirmed shells), followed by a ThemeREX Addons vulnerability (3,378 shells from 46,600 targets).

SOCRadar 2026-07-09

Ctrl-Alt-Intel's deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.

The Hacker News 2026-07-10
threat10 Jul 20:34Zmulti-sourceOpen finding ↗