SOC Incident Toolkit
Back to Campaigns
WP-SHELLSTORM - WordPress Mass Exploitation Operation

WP-SHELLSTORM - WordPress Mass Exploitation Operation

WordPressJoomlaPrestaShopCraft CMSApache NacosSNOWLIGHTWebshell Access BrokerageWP-SHELLSTORMWebshell Access Brokerage (WABO)

Financially motivated, China-linked webshell access brokerage operation (WABO) running two parallel campaigns from a single, fully exposed operations server (137.175.93.126). Campaign A weaponizes 27 CVEs across WordPress, Joomla, PrestaShop, Craft CMS, MetInfo and MaxSite, queuing 1.4M+ domains via FOFA recon and confirming 5,700+ live webshells, backed by a SNOWLIGHT-stager, VShell C2 delivery chain with kworker-process masquerading. Campaign B is a one-month-earlier, high-precision breach of enterprise Java infrastructure - Apache Nacos, XXL-Job, and Spring Boot - compromising 11 victims and exfiltrating 613 configuration files including cloud and payment-system keys.

Indicators of Compromise

Domains (1)

xs.xxooonline.eu.cc

Hashes (10)

0B23404491CAFF35FD5A7A3A3D89F66A5FB48F4BAA57B6C450C15230A0D5318165E8F2315488670526F055169D7D8496C63A39C452ED74CAE2DA1CB0193969B07496C08E0BB24A89814AC83F83551D8159802EA91789C2BE8BB8C9E57C6C32640255b7fa14f329871c252440f16f3335312391b878073b552845f09ae01a8eb5E4AD72B1D7A727FFCCF0E2A9DDF7B08C993826C17EB4B9F49C9734FC54B00B2A36BE47426E90899C56221F9521DDE0A20BE3AEFE780753C7DBE8EFEE4D59916E54953D3EECC8887F39AC0FDA4D33C84BCB6170144DBD1D133470D757595BEAEC58B17EF746D6FCD9F2E5738486D5AF7C4C02B6732176369536B9782D644EC11984F7E396A48913851A10CC78C5CC22A25634564ABD0694465236D2F365E2BDEEF14285507192FB7643597E4FFAAB006F9A3021E045999C1114E4E37BDA843B18

IPv4 (5)

91.207.102.163113.196.59.5143.108.17.80137.175.93.126113.196.56.150

Notes

<div><font color="#1b1b3c"><span style="font-size: 21.3333px;"><b>Conclusion</b></span></font></div><div><span style="background-color: transparent; color: rgb(68, 68, 68); font-family: Calibri, sans-serif; font-size: 10.5pt; white-space: pre-wrap;"> WP-SHELLSTORM demonstrates how a single financially motivated, moderately resourced actor can operate at genuinely mass scale (1.4M+ domains, 5,700+ live webshells) while simultaneously running a quieter, higher-value enterprise credential-theft branch (Nacos/XXL-Job/Spring Boot) from the same infrastructure. The two-phase playbook — enterprise credential theft first, mass webshell brokerage second — should be treated as a repeatable pattern rather than a one-off, and organizations exposing any of the 27 affected CMS platforms or Nacos/XXL-Job/Spring Boot services should assume they are in scope for future waves from this or copy-cat operators.</span></div><div><span id="docs-internal-guid-6bd17d6e-7fff-c9e5-a7d0-84ff6060dbb3"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The actor's own critical OPSEC failure (a fully exposed, unauthenticated operations server) is what allowed full toolkit recovery, attribution, and IOC extraction in this instance — a reminder that even capable, well-resourced actors are frequently one misconfiguration away from full exposure, and that continuous infrastructure monitoring can surface this kind of opportunity.</span><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br><br></span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">SOCRadar platform modules directly support ongoing tracking of this campaign:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10pt; font-family: &quot; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">IOC Radar — continuous matching of organizational web assets and Java infrastructure against the WP-SHELLSTORM IP/domain/webshell-hash dataset.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: &quot; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CTI (Cyber Threat Intelligence) — monitoring for new CVE weaponization, additional webshell variants, and infrastructure pivots from this actor cluster.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: &quot; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ASM (Attack Surface Management) — identifying internet-exposed WordPress/Joomla/CMS plugins, Nacos/XXL-Job panels, and Spring Boot Actuator endpoints vulnerable to this attack chain.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: &quot; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Dark Web Monitoring — tracking webshell-access-brokerage listings, FOFA/Chinese-language underground forum activity, and handles (chen-kk, chenyk, tance) associated with this operator.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: &quot; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Incidents — when an organization is identified as a target or victim within this campaign's dataset (matching IOCs, exposed assets, or exfiltrated data), SOCRadar generates a direct incident notification so the organization does not have to discover its exposure from a public report.</span></p></li></ul></span></div>

Mitigation

<span id="docs-internal-guid-abe08e39-7fff-912c-f38c-142a022f7ec9"><span style="font-size: 16pt; font-family: Calibri, sans-serif; color: rgb(27, 27, 60); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> Mitigations</span></span><div><br></div><div><span id="docs-internal-guid-5007cf16-7fff-0434-ff7e-238fcbfb7133"><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Immediate Actios:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block known IOCs at firewall/IPS: 137.175.93.126, 43.108.17.80, 113.196.56.150, 113.196.59.51, 91.207.102.163.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block xs.xxooonline.eu.cc at DNS/proxy level.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Scan all web roots for known webshell filenames and patterns: down.php, .bd.php, .wp-log.php, gls.php, gls_fixed.php, new_shell.php, new_shell_bypass.php, new_shell_short.php, loader_shell.php, and the .brq-*.php / .sd_*.php / .leo_*.php / .wvp-*.php / .cc-*.php / .nf-log.php / BZ_*.php(tml) family.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">If running Nacos: upgrade to ≥ 2.2.1, block /nacos/v1/auth/users from the public internet, and enable nacos.core.auth.enabled.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">If running Spring Boot: disable /actuator/heapdump (and restrict /actuator/env, /actuator/beans) in production.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor for [kworker/X:Y]-masquerading processes whose binary path does not resolve to a legitimate kernel thread.</span></p></li></ul><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Short-Term Controls:</span></p><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Patch all 27 affected plugins/platforms, prioritizing Breeze Cache, ThemeREX Addons, and Joomla JCE, which account for the overwhelming majority of confirmed shells.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit upload directories associated with vulnerable plugins for unexpected PHP files: /wp-content/uploads/breeze/gravatars/, /wp-content/uploads/trx_addons/, /wp-content/cache/berqwp/, /wp-content/uploads/simple-file-list/, /wp-content/uploads/ninja-forms/, /wp-content/uploads/waveplayer/, /wp-content/uploads/wpbookit/, and /images/ (Joomla).</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Rotate all cloud provider keys and payment-system credentials for any organization matching the Nacos/XXL-Job/Spring Boot exposure profile, regardless of confirmed compromise.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Force credential rotation and re-harden any XXL-Job admin panel; enforce account lockout against brute-force login attempts.</span></p></li><li style="list-style-type: disc; font-size: 10.5pt; font-family: Calibri, sans-serif; color: rgb(68, 68, 68); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:3pt;" role="presentation"><span style="font-size: 10.5pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy the process-anomaly detection command below across Linux fleets to catch kworker-masquerading implants.</span></p></li></ul></span></div>