How WP-SHELLSTORM Exposed 1.4M WordPress Sites
Essential information
- Published
- 13/07/2026 11:59
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- access-brokerage botnet godzilla vshell webshell wordpress
- Related entities
- 13 vulnerabilities (cve), 6 indicators, 5 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware
Description
A financially motivated cybercrime group operating as WP-SHELLSTORM was exposed when their Python SimpleHTTPServer remained open for 22 days, revealing toolkits, logs, and target lists. The operation targeted over 1.4 million domains using 27 weaponized CVEs and deployed more than 5,700 active webshells across WordPress and Joomla platforms. A parallel campaign targeted Apache Nacos, XXL-Job, and Spring Boot infrastructure, exfiltrating 613 configuration files from 11 victims across nine organizations in May 2026, compromising cloud credentials, database passwords, and payment system keys. The Chinese-linked actor utilized sophisticated obfuscated webshells, botnet infrastructure, and implants designed to evade detection by mimicking legitimate system processes.