How Backdoor Access Brokers Target Outdated Plugins and CMS Infrastructure

A security lapse by a cybercriminal group has provided researchers with a rare glimpse into how large-scale website compromise operations are conducted. An internet-exposed server, left unsecured for more than three weeks, revealed attack tools, exploit scripts, command logs, and millions of potential targets associated with an operation now tracked as WP-SHELLSTORM.

According to security researchers at SOCRadar, the exposed server contained approximately 800 MB of data across 434 files, including exploit frameworks, webshells, scan results, operator command histories, and command-and-control configurations. Independent researchers at Ctrl-Alt-Intel also analyzed the same directory after discovering it through Hunt.io, publishing their findings before SOCRadar released its own report.

Over 1.4 Million Websites Appeared on Target Lists

One of the largest numbers circulating from the investigation is the discovery of more than 1.4 million website domains contained within attacker target lists. However, researchers caution that this figure represents websites selected for scanning, not confirmed compromises.

The targets included WordPress, Joomla, and other web platforms, with the largest single list containing approximately 587,000 Joomla installations.

Evidence suggests that only a relatively small percentage of those systems were successfully compromised, however, website security should be a high priority. Ctrl-Alt-Intel identified approximately 25,000 validated compromises, while SOCRadar observed more than 5,700 active webshells during its analysis. The differing totals reflect different measurement methods rather than conflicting conclusions.

The research serves as an important reminder that appearing in a hacker’s scanning list does not necessarily mean your website security has been breached.

Automated Exploitation Focused on Known Vulnerabilities

Rather than relying on sophisticated zero-day vulnerabilities, the attackers primarily exploited publicly disclosed vulnerabilities affecting outdated website software.

Researchers found automated scanners designed to identify vulnerable installations and deploy webshells, allowing attackers to remotely execute commands, browse files, steal credentials, and maintain persistent access to compromised servers.

The operation reportedly leveraged 27 known vulnerabilities, although only a handful accounted for most successful compromises.

The most heavily used exploit targeted the Breeze WordPress caching plugin (CVE-2026-3844). Attackers reportedly launched more than 45,000 exploitation attempts, claiming to have successfully installed webshells on over 17,000 websites.

Fortunately, researchers note this vulnerability only affects sites where the optional “Host Files Locally – Gravatars” feature is enabled, meaning many Breeze installations were never exposed.

Webshell Access Was the Primary Goal

SOCRadar classifies WP-SHELLSTORM as a webshell access brokerage operation.

Instead of immediately stealing data or deploying ransomware, the group appears focused on obtaining persistent access to websites, then packaging and selling that access to other cybercriminals.

The primary webshell recovered during the investigation, named down.php, was heavily obfuscated and appears to have been derived from the open-source Chinese webshell known as BestShell.

Researchers found the malware capable of:

  • Executing remote commands
  • Managing server files
  • Launching reverse shells
  • Performing internal network reconnaissance
  • Detecting installed security software

The investigation also uncovered use of the SNOWLIGHT dropper to install VShell, a stealthy remote access tool that disguises itself using Linux kernel worker process names such as [kworker/0:2] in an attempt to avoid detection.

Security researchers note that while VShell has previously appeared in investigations involving suspected Chinese threat actors, it is also widely used within Chinese-speaking cybercriminal communities. Its presence alone does not establish attribution.

There are two types of companies: those that know they’ve been hacked, and those that don’t.

John Chambers

Earlier Corporate Intrusions Were Also Discovered

 

Evidence recovered from the exposed server suggests the operators were engaged in more than website compromises.

SOCRadar reports discovering traces of an earlier campaign targeting enterprise Java environments during May 2026.

That activity allegedly compromised 11 systems across nine companies operating in industries including:

  • Financial technology
  • E-commerce
  • Logistics
  • Gaming
  • Electronics

Researchers say attackers extracted hundreds of configuration files containing sensitive information such as:

  • AWS credentials
  • Alibaba Cloud credentials
  • Oracle Cloud credentials
  • Tencent Cloud credentials
  • DigitalOcean credentials
  • Database passwords
  • Alipay RSA private keys

The campaign reportedly exploited CVE-2021-29441, a long-known vulnerability affecting Nacos, allowing authentication bypass through manipulation of HTTP headers.

Operational Mistakes Exposed the Entire Campaign

Ironically, the investigation was only possible because of basic operational mistakes made by the attackers themselves.

Researchers determined the operators launched a simple Python web server for file transfers but inadvertently left it publicly accessible for approximately 22 days without authentication.

The exposed directory also contained:

  • Operator command histories
  • Configuration files
  • FOFA search settings
  • Attack scripts
  • Scan results
  • Command-and-control information

According to SOCRadar, portions of the logs were deleted after the operators realized they had been discovered, but only after researchers had already collected much of the available evidence.

Investigators believe the operators are likely Chinese-speaking based on language found throughout the code and logs, as well as their extensive use of Chinese-developed security tools and the FOFA internet search platform. However, researchers emphasize that attribution remains an assessment rather than definitive proof.

Website Owners Should Patch Immediately

The investigation highlights the ongoing risks associated with running outdated web applications and plugins.

Organizations operating WordPress or Joomla websites should verify that all plugins, themes, and extensions are fully updated, particularly those associated with vulnerabilities actively exploited during the campaign.

Researchers specifically recommend reviewing systems for vulnerabilities affecting:

  • Breeze
  • Joomla JCE
  • ThemeREX Addons
  • Simple File List
  • Custom CSS JS PHP
  • BerqWP
  • Ninja Forms
  • WavePlayer
  • WPBookit
  • WP File Manager

Organizations using Nacos should upgrade to version 2.2.1 or later, enable authentication, and rotate any credentials that may have been stored if an exposed instance is suspected.

Administrators are also encouraged to inspect servers for suspicious PHP files matching known webshell naming conventions and investigate any Linux processes masquerading as kernel worker threads that exhibit network activity or executable paths.

A Reminder That Basic Security Still Matters

Perhaps the most significant lesson from WP-SHELLSTORM is that attackers did not require sophisticated zero-day exploits to compromise thousands of websites.

Instead, researchers found widespread use of publicly known vulnerabilities, automated scanning, and large-scale target lists to identify systems that had simply not been updated.

The campaign also demonstrates how a single operational mistake by attackers—in this case leaving an internal server publicly accessible—can provide valuable intelligence that helps defenders better understand modern cybercrime operations.

Sources

This article is based on public research and reporting from:

  • SOCRadar (original research)
  • Ctrl-Alt-Intel (independent investigation)
  • Hunt.io (open directory discovery)
  • Wordfence
  • CISA Known Exploited Vulnerabilities Catalog
  • The Hacker News (original reporting)
Author picture

About INTELLIPLANS

INTELLIPLANS empowers small businesses and nonprofits to bridge the gap between complex technology and meaningful growth. By specializing in high-performance digital solutions and operational strategy, we help mission-driven organizations build a dominant online presence while streamlining the systems behind the scenes.

Leave a Reply