Find notable cyber news and cases, enriched with sources, timelines, and signals.

WP-SHELLSTORM webshell access brokerage campaign

Campaign
First reported
Last updated
Happening score
H score 71
1 unique sources, 1 articles

Summary

Hide ▲

The WP-SHELLSTORM campaign exposed its own infrastructure, revealing a webshell access brokerage that targeted WordPress and Joomla sites at scale and backdoored thousands of sites. The exposed files contained webshells, exploit scripts, scan results, command history, and target lists naming more than 1.4 million websites. The operation relied on automated scanning of public flaws such as CVE-2026-3844 to plant backdoors for later resale. Separate files show an earlier phase that harvested cloud credentials and other secrets from corporate Java systems before the large-scale webshell push.

Related Happenings

Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign

Campaign
H score36 First: 26.05.2026 10:13 Last: 26.05.2026 10:13 Sources 1

About this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

TeamPCP supply-chain credential-exploitation campaign

Campaign
H score34 First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...

Latest development: 12.05.2026 01:03

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
H score59 First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Exposed security-training web apps exploitation wave

Exploitation Wave
H score41 First: 21.01.2026 16:00 Last: 21.01.2026 16:00 Sources 1

About this happening: **DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...

Timeline

  1. 10.07.2026 14:30 1 articles · 2h ago

    SOCRadar finds exposed WP-SHELLSTORM server on 137.175.93[.]126

    Detection Ioc Update

    SOCRadar's threat intelligence team found a US-based rented server at 137.175.93[.]126 with no password protection, exposing roughly 800MB across 434 files that included webshells, exploit scripts, scan results, the operator's typed command history, and command-and-control settings. The exposure appears to have come from a simple Python web server left running for 22 days.

    Show sources
  2. 09.07.2026 03:00 2 articles · 1d ago

    SOCRadar details WP-SHELLSTORM webshell access brokerage

    Technical Analysis Update

    SOCRadar describes WP-SHELLSTORM as a webshell access brokerage that used automated scanners against FOFA-derived target lists to hit WordPress and Joomla flaws, plant webshell backdoors for resale, and operate tools such as down.php, SNOWLIGHT, and VShell. The same analysis also traces an earlier campaign in early May 2026 against corporate Java systems that pulled 613 configuration files and cloud credentials from 11 systems across nine companies.

    Show sources