WP-SHELLSTORM Exposes 25,195 WordPress Backdoors, Java Data
The WP-SHELLSTORM cybercrime crew's critical misconfiguration exposed one of their command-and-control servers publicly for three weeks. This gave cybersecurity researchers a detailed view into a large-scale website compromise operation. This exposed server detailed the group's internal workings, including their hacking tools, activity logs, and target lists encompassing more than 1.4 million websites. Analysis of the leaked data indicates the group is likely Chinese or Chinese-speaking and is primarily driven by financial motivations.
The operation, active since at least early May 2026, systematically exploited publicly known vulnerabilities in popular content management system (CMS) plugins to plant webshells on compromised sites. Researchers confirmed evidence of compromise on 25,195 unique websites, with over 5,700 active webshells identified. Key vulnerabilities exploited included CVE-2026-3844 in the Breeze caching plugin for WordPress and CVE-2026-48907 in the Joomla JCE editor, the latter being a maximum-severity flaw listed on CISA's Known Exploited Vulnerabilities catalog.
Prior to their extensive WordPress campaign, WP-SHELLSTORM also conducted a more targeted campaign against corporate Java systems. This earlier activity involved the exploitation of CVE-2021-29441 in the Nacos configuration server, resulting in the theft of 613 configuration files from 11 systems across nine companies in the fintech, e-commerce, logistics, gaming, and electronics sectors. The exposed server, located at 137.175.93[.]126, inadvertently showed the group's tactics, techniques, and procedures, including a custom Go-based backdoor and an EDR killer framework.
What did the WP-SHELLSTORM server exposure reveal?
The exposure of WP-SHELLSTORM's server revealed full insights into the group's operations as a webshell access brokerage, a model where compromised site access is resold. Spotted by SOCRadar's threat intelligence team on June 11, 2026, the unprotected US-based server, hosted at 137.175.93[.]126, contained approximately 800MB across 434 files, including webshells, exploit scripts, scan results, and the operator's command history. A Python web server, left running for 22 days, was the oversight; Ctrl-Alt-Intel also independently identified and analyzed it weeks prior.
The group primarily targeted out-of-date plugins in WordPress and Joomla using automated scanners and publicly known bugs. The most successful exploit involved CVE-2026-3844 in the Breeze caching plugin, which WP-SHELLSTORM launched against over 45,000 targets, successfully backdooring more than 17,000. This vulnerability, however, is only exploitable when a non-default "Host Files Locally - Gravatars" setting is enabled. Another significant vulnerability targeted was CVE-2026-48907 in the Joomla JCE editor, a maximum-severity flaw actively exploited elsewhere, though it yielded fewer compromises in this specific campaign.
While the group's target lists named over 1.4 million domains, actual confirmed compromises were significantly lower. Ctrl-Alt-Intel's deduplicated count identified 25,195 sites with validated compromise evidence, whereas SOCRadar, focusing on active webshells, reported over 5,700 live compromises. This distinction matters: being on a scan list does not mean a site was successfully hacked.
WP-SHELLSTORM's toolkit included a heavily obfuscated webshell named down.php, believed to be derived from the open-source Chinese webshell BestShell. This webshell enabled file management, command execution, reverse shells, network scanning, and security software checks on compromised servers. For remote access, the group deployed a SNOWLIGHT dropper to install VShell, a stealthy backdoor that used the process name [kworker/0:2] to avoid detection by appearing as a kernel thread. The presence of SNOWLIGHT and VShell aligns with tools seen in past campaigns attributed to suspected Chinese state groups like UNC5174, though VShell is also prevalent in Chinese-speaking criminal circles.
Before this extensive WordPress operation, WP-SHELLSTORM conducted a narrower, high-value campaign in early May 2026 targeting corporate Java systems. This involved exploiting CVE-2021-29441 in the Nacos configuration server to bypass authentication and extract sensitive data. This haul included 613 configuration files from 11 systems across nine companies, containing cloud login keys for platforms such as AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean, as well as database passwords and Alipay RSA private keys. Researchers hypothesize this corporate credential theft served as a funding mechanism before expanding their broader webshell brokerage activities.
Several factors point to a Chinese or Chinese-speaking operator: fluent Simplified Chinese in code and command history, reliance on the Chinese internet-connected search engine FOFA (which requires a Chinese phone number for registration), and the use of common tools like Godzilla and VShell from Chinese-speaking underground forums. Despite using sophisticated tools, the group showed operational security flaws. They left their server open, exposed a traceable FOFA configuration file, and did not edit their full command history until after discovery. This echoed a similar blunder by Fancy Bear (APT28) in March 2026.
Infrastructure and Indicator of Compromise:
- Server IP: 137.175.93[.]126
- Command and Control (C2) IP: 43.108.17[.]80
- Domain: xs.xxooonline[.]eu[.]cc
Key Vulnerabilities Exploited:
- CVE-2026-3844: WordPress Breeze caching plugin (fixed in v2.4.5)
- CVE-2026-48907: Joomla JCE editor (fixed in v2.9.99.5)
- CVE-2026-1969: ThemeREX Addons (WordPress)
- CVE-2020-36847: Simple File List (WordPress)
- CVE-2026-6433: Custom CSS JS PHP (WordPress)
- CVE-2025-7443: BerqWP (WordPress)
- CVE-2026-0740: Ninja Forms uploads (WordPress)
- CVE-2025-12057: WavePlayer (WordPress)
- CVE-2025-7852: WPBookit (WordPress)
- CVE-2020-25213: WP File Manager (WordPress)
- CVE-2021-29441: Nacos configuration server (Authentication bypass)
The Gentlemen Ransomware Sustains Rapid Growth
The Gentlemen (aka Storm-2697), a Ransomware-as-a-Service (RaaS) program, rapidly expanded its operations, becoming the second most active RaaS program of 2026 by victim count. Since its inception in July 2025, the group has claimed 580 victims across 77 countries as of July 7, 2026, marking a substantial increase in activity compared to the previous year. Specifically, Unit 42 reporting indicates a more than 6x increase in claimed victims when comparing the last six months of 2025 to the first six months of 2026, with June 2026 alone seeing 117 victims, its highest monthly total to date.
The group, reportedly comprising around 20 operators, likely transitioned from a private entity to a RaaS model around September 2025, having previously operated as an affiliate (known as ArmCorp) of Qilin RaaS (tracked as Spikey Scorpius). A distinguishing characteristic of The Gentlemen is its highly attractive affiliate payout structure, offering a high 90% cut of paid ransoms. This strategy aims to rapidly recruit affiliates, penetration testers, and initial access brokers (IABs). This recruitment effort was further supported by a public partnership announcement with HasanBroker's BreachForums in May 2026.
The Gentlemen uses a range of initial access techniques, similar to other RaaS operators. These methods include the exploitation of vulnerabilities in edge devices like firewalls and VPNs, brute-force attacks, the acquisition of leaked or stolen credentials, and collaborations with IABs. Once initial access is gained, the group deploys ransomware variants written in both C and Go programming languages, enabling them to target various operating systems and virtualized infrastructure.
Beyond their core ransomware, The Gentlemen developed custom tools to improve their attack process. This includes a proprietary Go-based backdoor for persistent access and an EDR killer framework dubbed GentleKiller, designed to impair endpoint detection and response solutions. Researchers also suspect the group has utilized an unspecified zero-day vulnerability to increase its defense evasion capabilities. For more details on the group's operational trends, refer to our recent analysis of The Gentlemen ransomware activity.
Of the 580 victims claimed by The Gentlemen, 103 organizations operate within the manufacturing industry, a sector frequently targeted due to the critical need to maintain operational uptime, which increases pressure for rapid ransom payments. With a lucrative affiliate model and advanced custom tools, the group is a significant and growing threat to enterprise organizations. Further insights into the group's impact and recent victimology can be found in our report on The Gentlemen ransomware's recent victim activity and impact.
Key Vulnerabilities Exploited by The Gentlemen:
- CVE-2024-55591: Fortinet FortiOS and FortiProxy
- CVE-2025-32433: Erlang/OTP SSH server
- CVE-2025-33073: Windows SMB Client
- CVE-2025-55182: React2Shell
- CVE-2025-7771: ThrottleStop.sys driver (privilege escalation)
Parallel Espionage Campaigns Target Pakistani Law Enforcement
Persistent cyber espionage was revealed when separate hacking groups from China and India conducted parallel operations targeting the same Pakistani law enforcement agency, the Balochistan Police, over more than two years. Cybersecurity firm SentinelOne reported that this activity occurred between February 2024 and April 2026, compromising systems containing highly sensitive internal-security data.
The Balochistan Police force, responsible for Pakistan's southwestern province-a site of a long-running separatist insurgency-was targeted because its systems held centralized government internal-security information. SentinelLabs research confirmed that the compromised systems held a range of sensitive data, including criminal records, biometric and fingerprint data, personnel files, hotel and tenant registrations linked to national identity records, and citizen complaints.
SentinelLabs assessed different motivations for these two distinct campaigns. The China-linked activity aimed primarily to protect Chinese nationals in Pakistan, especially those involved in the China-Pakistan Economic Corridor (CPEC) projects. This motivation stemmed from incidents such as a March 2024 suicide bombing and an October 2024 attack near Karachi's airport, both of which impacted Chinese workers. Beijing's interest was to independently assess security threats rather than relying solely on Pakistani security guarantees. Chinese-linked operators planted malware disguised as a portal update on the Balochistan Police Complaint Management System, exposing both police and public users. Forensic traces, including Chinese-language log strings and developer artifacts, supported the attribution; tools like PlugX and ShadowPad formed the basis for the assessments.
Conversely, the India-linked intrusions were connected to the ongoing geopolitical rivalry between India and Pakistan. Access to Balochistan Police data would offer insights into the Baloch insurgency, which Islamabad accuses New Delhi of supporting, a claim India denies. SentinelLabs tracked the India-linked activity with lower confidence to an actor designated TAG-179, which overlaps with groups known as Bitter and Mysterious Elephant. Evidence for this attribution included a lure document themed around the repatriation of undocumented foreigners.
Both groups exploited a shared vulnerability in the Balochistan Police Complaint Management System. For the China-linked operator, malware was embedded within a fake update, infecting devices upon execution. This dual targeting shows how centralized and digitized policing systems, even with modernization, create valuable data sources that attract multiple adversaries with different geopolitical and economic objectives.
Technical Takeaways
- The exposure of an attacker's infrastructure, like WP-SHELLSTORM's server, provides direct intelligence on threat actor TTPs, tools, and campaign scope, often revealing reliance on known, unpatched vulnerabilities.
- Ransomware-as-a-Service groups like The Gentlemen use lucrative affiliate models and custom evasion tools such as GentleKiller to increase victim counts across various sectors, including manufacturing industries.
- Nation-state espionage campaigns, like the parallel operations of China and India against the Balochistan Police, often target government and law enforcement entities to collect sensitive internal security data for geopolitical advantage.
- Exploitation of out-of-date plugins in common CMS platforms, such as WordPress (Breeze caching plugin CVE-2026-3844) and Joomla (JCE editor CVE-2026-48907), remains a primary initial access method for financially motivated cybercrime groups like WP-SHELLSTORM.
- The shift from high-value corporate credential theft (e.g., exploiting Nacos CVE-2021-29441) to broader mass-compromise campaigns indicates a strategic approach by some threat actors to fund and expand their operations.