WP-SHELLSTORM: an exposed webshell-brokerage toolkit reveals 27 weaponized CVEs fired at 1.4M WordPress/Joomla sites plus a parallel Nacos/Spring Boot credential-theft track
SOCRadar's Threat Intelligence Team spotted an unauthenticated open directory — a Python SimpleHTTPServer left running for 22 days on a US-based VPS — that exposed the complete toolkit, target lists, bash history and C2 configuration of a webshell access-brokerage operation it names WP-SHELLSTORM (SOCRadar, 2026-07-09). The operation weaponized 27 CVEs (14 critical, 9 high) against roughly 1.4 million WordPress and Joomla domains sourced via FOFA, confirming more than 5,700 live webshells; the single highest-yield exploit was a Breeze Cache Cleaner flaw (CVE-2026-3844) at 45,000+ targets and 17,000+ confirmed shells, followed by a ThemeREX Addons vulnerability (CVE-2026-1969), while a Joomla JCE flaw fired at 560,000+ targets yielded only 77 shells — a reminder that raw target count and success rate diverge with how patched an ecosystem is. The Hacker News independently cites a second team, Ctrl-Alt-Intel, whose deduplicated count reached 25,195 compromised sites; SOCRadar reads the crew as financially motivated rather than state-directed (The Hacker News, 2026-07-10). A parallel, earlier track abused the Apache Nacos authentication bypass (CVE-2021-29441 — a request with a "Nacos-Server" User-Agent header skips auth entirely) to exfiltrate hundreds of Nacos configuration files, yielding cloud credentials, database connection strings and API keys; a separate technique scanned Spring Boot for exposed heap dumps and used the open-source JDumpSpider to pull credentials from those Java memory dumps. Because Nacos config routinely holds XXL-Job admin tokens, one Nacos bypass chains to RCE across connected executor nodes (SOCRadar, 2026-07-09).
The webshell payloads include a multi-layer-obfuscated BestShell-derived down.php, a Godzilla-framework variant, and a shell that returns HTTP 404 to normal visitors and blocks crawler user-agents; remote access uses a WebSocket-delivered dropper (SNOWLIGHT) fetching an architecture-matched VShell implant that renames its own process to mimic a Linux kernel worker thread (SOCRadar, 2026-07-09).
a Python SimpleHTTPServer instance, left open for 22 days, exposed the full toolkit, logs, and target lists
The most productive single exploit was a Breeze Cache Cleaner flaw (45,000+ targets, 17,000+ confirmed shells), followed by a ThemeREX Addons vulnerability (3,378 shells from 46,600 targets).
Ctrl-Alt-Intel's deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.
Defender actions
- Update or disable the directly-targeted plugins now if you run them: Breeze Cache (CVE-2026-3844) and ThemeREX Addons (CVE-2026-1969); scan WordPress/Joomla web-writable directories (uploads, plugin dirs) for unexpected PHP files and treat any as a web shell until cleared.
- If you run Apache Nacos, upgrade to ≥ 2.2.1 with nacos.core.auth.enabled=true and rotate every credential that lived in an exposed instance; test exposure by confirming a 'Nacos-Server' User-Agent request against the cluster-nodes endpoint (CVE-2021-29441) returns no data without auth.
- Disable /actuator/heapdump in production and lock all Spring Boot Actuator endpoints behind authentication; close and segment unauthenticated XXL-Job executor endpoints from the internet.
ATT&CK mapping
5 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Persistence TA0003
T1505.003Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Stealth TA0005
T1036.004Masquerading: Masquerade Task or Service
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.
Credential Access TA0006
T1552.001Unsecured Credentials: Credentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Command and Control TA0011
T1071.001Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.