A recent operational security failure by a threat group known as WP-SHELLSTORM exposed internal infrastructure, revealing how attackers automate large-scale WordPress and Joomla website compromises. According to research from SOCRadar, the group left an unauthenticated Python server exposed for 22 days, providing a detailed look at their methods for deploying webshells and stealing enterprise credentials.
How the WP-SHELLSTORM Exposure Occurred
The breach of the attackers’ own infrastructure was the result of a simple oversight. The threat actors failed to secure a Python SimpleHTTPServer directory, leaving it publicly accessible for over three weeks. Jacob Krell, senior director of secure AI solutions and cybersecurity at SuzuLabs, noted that this incident highlights a recurring industry issue where organizations—and in this case, cybercriminals—only assess external exposure when forced by a major vulnerability disclosure.
The exposed server contained approximately 800 MB of data, including command histories, exploit scripts, and target lists. Researchers confirmed that the group used this infrastructure to orchestrate attacks against known vulnerabilities rather than relying on sophisticated zero-day exploits.
Automation of WordPress and Joomla Attacks
The WP-SHELLSTORM campaign focused on mass-scale automation. While the group’s target lists included over 1.4 million websites, actual compromises were significantly lower. Analysis by Ctrl-Alt-Intel and SOCRadar identified approximately 25,195 successfully compromised domains.
The group prioritized known flaws in popular plugins, specifically:
- Breeze WordPress Caching Plugin: Attackers targeted CVE-2026-3844, a vulnerability that affects installations where the "Host Files Locally – Gravatars" option is enabled.
- Joomla JCE Editor: The group actively exploited CVE-2026-48907 to gain unauthorized access.
Once a site was compromised, the attackers deployed an obfuscated webshell dubbed down.php, modeled after the open-source BestShell. For persistent access, they utilized the "SNOWLIGHT" dropper to install VShell, a remote access tool that mimics legitimate Linux kernel worker processes like [kworker/0:2].
Prior Campaign: Enterprise Credential Theft
Before shifting to mass website backdooring, the group conducted a separate campaign targeting Nacos configuration servers. By exploiting CVE-2021-29441, the actors bypassed authentication to scrape sensitive data. The exposed logs revealed that the group successfully harvested cloud credentials for major providers, including AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean.

Risk Mitigation for Website Administrators
Security researchers recommend a standardized approach to defending against these automated campaigns. Organizations can reduce their attack surface by following these steps:
- Patching: Prioritize updates for WordPress, Joomla, and all third-party plugins, specifically targeting vulnerabilities known to be under active exploitation.
- Surface Reduction: Disable or remove any unused themes, plugins, or extensions that could serve as entry points.
- Continuous Monitoring: Regularly scan for unauthorized file changes. Indicators of compromise include suspicious files such as
.bd.php,.wp-log.php, and.brq-*.php. - Process Auditing: Investigate fake
[kworker]processes that show unusual executable paths or active network connections. - Credential Hygiene: If systems like Nacos configuration servers were exposed, rotate all associated API keys, database passwords, and cryptographic certificates immediately.
While the presence of VShell and Chinese-language artifacts in the logs led researchers to believe the operators are Chinese-speaking, current evidence suggests the campaign was primarily financially motivated rather than state-sponsored.