WP-SHELLSTORM webshell access brokerage campaign
Campaign
Summary
Hide ▲
Show ▼
The WP-SHELLSTORM campaign exposed its own infrastructure, revealing a webshell access brokerage that targeted WordPress and Joomla sites at scale and backdoored thousands of sites. The exposed files contained webshells, exploit scripts, scan results, command history, and target lists naming more than 1.4 million websites. The operation relied on automated scanning of public flaws such as CVE-2026-3844 to plant backdoors for later resale. Separate files show an earlier phase that harvested cloud credentials and other secrets from corporate Java systems before the large-scale webshell push.
Related Happenings
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
H score36
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignAbout this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
TeamPCP supply-chain credential-exploitation campaign
Campaign
H score34
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
TeamPCP supply-chain credential-exploitation campaign
CampaignAbout this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...
Latest development: 12.05.2026 01:03
TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
H score59
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Exposed security-training web apps exploitation wave
Exploitation Wave
H score41
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
Exposed security-training web apps exploitation wave
Exploitation WaveAbout this happening: **DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
Timeline
-
10.07.2026 14:30 1 articles · 2h ago
SOCRadar finds exposed WP-SHELLSTORM server on 137.175.93[.]126
Detection Ioc UpdateSOCRadar's threat intelligence team found a US-based rented server at 137.175.93[.]126 with no password protection, exposing roughly 800MB across 434 files that included webshells, exploit scripts, scan results, the operator's typed command history, and command-and-control settings. The exposure appears to have come from a simple Python web server left running for 22 days.
Show sources
- Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites — thehackernews.com — 10.07.2026 14:30
-
09.07.2026 03:00 2 articles · 1d ago
SOCRadar details WP-SHELLSTORM webshell access brokerage
Technical Analysis UpdateSOCRadar describes WP-SHELLSTORM as a webshell access brokerage that used automated scanners against FOFA-derived target lists to hit WordPress and Joomla flaws, plant webshell backdoors for resale, and operate tools such as down.php, SNOWLIGHT, and VShell. The same analysis also traces an earlier campaign in early May 2026 against corporate Java systems that pulled 613 configuration files and cloud credentials from 11 systems across nine companies.
Show sources
- Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites — thehackernews.com — 10.07.2026 14:30
- Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites — thehackernews.com — 10.07.2026 14:30