Exposed server reveals WP-SHELLSTORM backdooring thousands of WordPress sites

WP-SHELLSTORM crew exposed after leaving server open, revealing 1.4M site targets and mass webshell operations

CSBadmin
2 Min Read

A cybercrime operation tracked as WP-SHELLSTORM left one of its own servers exposed on the internet for three weeks, revealing the inner workings of a mass site-hacking operation. The exposed server contained roughly 800MB of data across 434 files, including webshells, exploit scripts, scan results, and target lists naming more than 1.4 million websites.

Researchers from SOCRadar discovered the open server on June 11, 2026, at a US-based IP address with no password protection. The operator had started a simple Python web server to move files around and left it running for 22 days. The Ctrl-Alt-Intel research team independently analyzed the same directory after finding it on Hunt.io’s open-directory platform.

The WP-SHELLSTORM crew operated a webshell access brokerage, breaking into websites at scale and planting hidden backdoors for resale. They targeted out-of-date website plugins, primarily on WordPress and Joomla installations. The toolkit covered 27 known flaws, with the most productive being CVE-2026-3844 in the Breeze caching plugin, which the crew fired at more than 45,000 targets and backdoored over 17,000 of them. However, the bug only works when a non-default “Host Files Locally – Gravatars” setting is enabled, so most Breeze installs were never exposed.

The headline figure of 1.4 million requires important context. That count represents how many domains appeared on target lists, not how many were compromised. The target lists spanned WordPress, Joomla, and other platforms. Ctrl-Alt-Intel’s deduplicated analysis found 25,195 sites with confirmed compromise evidence, while SOCRadar put the active webshell count at over 5,700.

The main backdoor, a file named down.php, was heavily obfuscated across four layers. The incident underscores the importance of keeping all website plugins updated and auditing for unnecessary features that can expand the attack surface.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.