Exposed Server Reveals 25,000 Hacked WordPress Websites in Large Cybercrime Campaign
A publicly accessible server belonging to a cybercriminal group has exposed the inner workings of a large-scale campaign targeting WordPress and Joomla websites worldwide.
Security researchers from SOCRadar discovered that infrastructure linked to the threat group WP-SHELLSTORM was left open without authentication for around three weeks, allowing researchers to access exploit tools, attack logs, stolen credentials, and thousands of webshells used to maintain control over compromised websites.
The exposed server contained nearly 800 MB of data, including malware tools, target lists, command histories, and details of hacking operations. Researchers said the incident provided rare insight into how cybercriminal groups automate website compromises and sell access to other attackers.
Thousands of Websites Compromised Through Known Vulnerabilities
WP-SHELLSTORM operates as an initial access broker, compromising websites in bulk before selling access to other cybercriminals.
The group mainly targeted outdated WordPress plugins and Joomla components instead of relying on unknown zero-day vulnerabilities. Researchers identified a toolkit capable of exploiting 27 known security flaws, with a few vulnerabilities responsible for most successful attacks.
One major target was the Breeze WordPress caching plugin vulnerability CVE-2026-3844. Attackers attempted exploitation against more than 45,000 websites, eventually deploying over 17,000 webshells.
The attackers also targeted a Joomla JCE Editor vulnerability, CVE-2026-48907, as part of their campaign.
Although attacker lists contained more than 1.4 million websites, researchers warned that this figure represented scanning targets rather than confirmed victims. After verification, analysts identified approximately 25,195 compromised websites, along with thousands of active webshells.
Webshells Allowed Long-Term Remote Access
After compromising websites, attackers installed an obfuscated webshell known as down.php, believed to be based on the open-source BestShell tool.
The backdoor allowed hackers to execute commands remotely, access files, steal credentials, create reverse shells, and move deeper into compromised environments.
For additional persistence, attackers used the SNOWLIGHT dropper to install VShell, a remote access tool disguised as a legitimate Linux system process. Researchers noted that while VShell has appeared in campaigns linked to Chinese state actors, it is also widely used by financially motivated cybercriminal groups.
Earlier Campaign Stole Cloud Credentials
The exposed server also revealed evidence of an earlier operation focused on stealing enterprise credentials.
Researchers found that the group targeted vulnerable Nacos configuration servers using CVE-2021-29441, allowing attackers to bypass authentication and collect sensitive configuration data.
The stolen information included credentials and keys linked to cloud platforms such as AWS, Oracle Cloud, Alibaba Cloud, Tencent Cloud, and DigitalOcean, as well as database passwords and encryption keys.
Investigators believe the group first collected valuable credentials before shifting toward mass website compromise and webshell deployment.
Attackers Exposed by Their Own Mistakes
Despite using advanced tools, WP-SHELLSTORM made major operational security mistakes by leaving an internal Python web server publicly accessible for 22 days.
The exposure revealed exploit scripts, infrastructure details, search configurations, and internal activity records. Researchers also found evidence that attackers attempted to remove some logs after discovering the exposure, but the damage had already been done.
Based on the use of simplified Chinese language, malware tools, and infrastructure choices, researchers believe the operators are likely Chinese or Chinese-speaking cybercriminals. However, they assess the campaign was financially motivated rather than directly linked to a government operation.
How Organizations Can Protect Websites
Security experts recommend organizations take several steps to reduce the risk of similar attacks:
- Keep WordPress, Joomla, plugins, themes, and extensions updated.
- Remove unused plugins and components that increase attack risks.
- Monitor websites for unauthorized file changes and suspicious webshell activity.
- Search for indicators of compromise, including unusual PHP files and fake system processes.
- Rotate passwords, API keys, and cloud credentials if compromise is suspected.
- Regularly test incident response plans.
The incident highlights how cybercriminal groups are increasingly automating website attacks and turning compromised systems into valuable assets for further criminal activity.
Leave a comment