216.73.216.67

How WP-SHELLSTORM Exposed 1.4M WordPress Sites

· Published 13/07/2026 11:59

Export JSON

Essential information

Published
13/07/2026 11:59
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
access-brokerage botnet godzilla vshell webshell wordpress
Related entities
13 vulnerabilities (cve), 6 indicators, 5 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware

Description

A financially motivated cybercrime group operating as WP-SHELLSTORM was exposed when their Python SimpleHTTPServer remained open for 22 days, revealing toolkits, logs, and target lists. The operation targeted over 1.4 million domains using 27 weaponized CVEs and deployed more than 5,700 active webshells across and Joomla platforms. A parallel campaign targeted Apache Nacos, XXL-Job, and Spring Boot infrastructure, exfiltrating 613 configuration files from 11 victims across nine organizations in May 2026, compromising cloud credentials, database passwords, and payment system keys. The Chinese-linked actor utilized sophisticated obfuscated webshells, infrastructure, and implants designed to evade detection by mimicking legitimate system processes.

External references