A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation’s inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites.

Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside.

The operation, now tracked as WP-SHELLSTORM, is what SOCRadar calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a “webshell”) on each, and packages that access for resale.

The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla’s JCE editor; skip to the checklist below if that’s you.

A forgotten server

Two teams dug into the same exposed folder. SOCRadar’s threat intelligence team spotted it on June 11, 2026, on a US-based rented server at 137.175.93[.]126 with no password on it at all. Inside was roughly 800MB across 434 files: webshells, exploit scripts, scan results, the operator’s typed command history, and command-and-control settings.

Ctrl-Alt-Intel had analyzed the same directory too, having found it on Hunt.io’s open-directory platform, and published on June 22, weeks before SOCRadar’s own July 9 writeup. The exposure came down to a basic slip: the operator started a simple Python web server to move files around and left it running for 22 days.

The crew took publicly known bugs in website plugins, most of them in WordPress, and built automated scanners to fire those exploits at massive target lists pulled from FOFA, a Chinese search engine for internet-connected systems, similar to Shodan.

Where a site ran a vulnerable version, the exploit could upload a webshell: a small script that lets the attacker run commands on the server from anywhere, read files, steal passwords, and move deeper into the network.

The toolkit covered 27 known flaws, though a handful did most of the work. The biggest producer was a bug in the Breeze caching plugin (CVE-2026-3844), which the crew fired at more than 45,000 targets and, by its own count, backdoored over 17,000 of them.

That one comes with a catch: it only works when a non-default “Host Files Locally – Gravatars” setting is switched on, so most Breeze installs were never exposed.

The numbers, in plain terms

The headline figure needs a caveat. The 1.4 million count is how many domains were on the target lists, not how many were broken into, and those lists spanned WordPress, Joomla, and other platforms. The single largest file was a list of 587,034 Joomla targets.

The number actually compromised was far smaller, and the two research teams measured it differently: Ctrl-Alt-Intel’s deduplicated count found 25,195 sites with confirmed or validated compromise evidence, while SOCRadar, counting active webshells, put the live figure at 5,700-plus.

One…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 10, 2026