An operational security failure by a threat actor group gave researchers an unprecedented look inside a professional webshell brokerage operation — and the scope of what they found was significant. SOCRadar threat intelligence discovered an unprotected server at 137.175.93[.]126 on June 11, 2026. The US-based VPS had been left exposed for three weeks with no password protection, containing roughly 800MB across 434 files.
The operation, now tracked as WP-SHELLSTORM, represents a sophisticated webshell-as-a-service model: compromising web servers at scale, maintaining persistent backdoor access, and reselling that access to other threat actors.
Scale of Compromise
The exposed server contained target lists, scan logs, exploit scripts, typed command history, and C2 configuration. The numbers uncovered:
| Metric | Count |
|---|---|
| Domains targeted | 1.4 million |
| Active webshells identified (SOCRadar) | 5,700+ |
| Confirmed compromised sites (deduplicated) | 25,195 |
| CVEs in exploit toolkit | 27 |
The 25,195 figure comes from Ctrl-Alt-Intel, which independently discovered the same server via Hunt.io and performed deduplication on the raw target data.
Exploitation Toolkit: 27 CVEs
The group's toolkit exploited a wide range of known vulnerabilities across WordPress plugins and CMS platforms. The most heavily used:
- CVE-2026-3844 (Breeze caching plugin, patched in v2.4.5) — 45,000 targets, 17,000+ backdoors planted; single highest-volume exploit in the operation
- CVE-2026-48907 (Joomla JCE editor, max severity) — listed on CISA KEV
- CVE-2026-1969 (ThemeREX Addons)
- CVE-2020-36847 (Simple File List plugin)
- CVE-2026-6433 (Custom CSS JS PHP plugin)
- CVE-2025-7443 (BerqWP optimization plugin)
- CVE-2026-0740 (Ninja Forms file upload)
- CVE-2025-12057 (WavePlayer plugin)
- CVE-2025-7852 (WPBookit booking plugin)
- CVE-2020-25213 (WP File Manager — a long-standing exploitation target)
The breadth of CVE coverage shows the group maintained an updated, diversified exploit kit rather than relying on a single vulnerability.
Malware: SNOWLIGHT + VShell
For persistence and remote access, WP-SHELLSTORM deployed a SNOWLIGHT dropper that installs VShell — a cross-platform remote access tool disguised as a kernel thread named [kworker/0:2] to blend in with legitimate Linux processes.
This SNOWLIGHT + VShell combination was previously documented by Sysdig in April 2025, where it was attributed to suspected Chinese state-nexus group UNC5174. However, researchers note that VShell is widely available in Chinese-speaking criminal communities, making definitive attribution difficult based on tooling alone.
Secondary Campaign: Corporate Java Targeting
In early May 2026, a secondary campaign from the same infrastructure targeted corporate Java systems. This operation stole 613 configuration files from nine companies across the fintech, e-commerce, and logistics sectors. The stolen files contained cloud credentials for:
- Amazon Web Services (AWS)
- Alibaba Cloud
- Oracle Cloud
- Tencent Cloud
- DigitalOcean
- Alipay RSA private keys
Recommendations for WordPress Administrators
- Patch immediately: Prioritize CVE-2026-3844 (Breeze plugin), CVE-2020-25213 (WP File Manager), and CVE-2026-48907 (Joomla JCE) if applicable
- Audit installed plugins: Remove abandoned or low-maintenance plugins that are not actively security-maintained
- Deploy a Web Application Firewall: Block exploit attempts targeting known plugin vulnerabilities
- Check for webshell indicators: Scan for unexpected PHP files in upload directories, unusual
[kworker]-named processes, and unexpected outbound connections - Monitor file integrity: Tools like Wordfence or similar file integrity monitors can detect unauthorized file additions
The WP-SHELLSTORM operation demonstrates that webshell access brokerage is a mature, organized business — with the tooling, scale, and resale pipeline of a professional criminal enterprise.