WP-SHELLSTORM: Exposed Chinese-Speaking Threat Actor Server Reveals Mass WordPress/Joomla Webshell Brokerage Targeting 1.4M Domains via CVE-2026-48907 (Joomla JCE) and CVE-2021-29441 (Nacos) — Threadlinqs Intelligence
Threat ID: TL-2026-1180 · Severity: HIGH · CVSS: 10 · Status: ACTIVE · Category: VULNERABILITY
Attribution: WP-SHELLSTORM Crew (Chinese-speaking access broker · China · FINANCIAL
An unsecured 800MB Python web server run by a Chinese-speaking financially-motivated crew exposed a webshell access brokerage operation that scanned 1.4 million WordPress/Joomla domains,
On June 11, 2026, SOCRadar discovered an unauthenticated Python web server (137.175.93[.]126, a US-hosted VPS) that had been left open for 22 days, exposing roughly 800MB of operational data belonging to a Chinese-speaking cybercriminal crew. The trove included exploit scripts, unredacted command history, FOFA search-engine configuration files (FOFA requires a Chinese phone number to register, a strong nationality signal), and target lists naming 1.4 million WordPress and Joomla domains. Ctrl-Alt-Intel (via the Hunt.io open-directory platform) published deduplicated analysis on June 22, 2026 confirming 25,195 sites showed evidence of successful compromise, and SOCRadar's July 9, 2026 writeup counted 5,700+ live webshells still active on infected hosts at time of discovery.
The operation is best characterized as a webshell-access brokerage: automated FOFA-sourced reconnaissance identifies vulnerable WordPress and Joomla installations at scale, a scanner/exploiter framework fires a chain of 11 known plugin/CMS CVEs plus one enterprise Java CVE, and successful hits are backdoored with a custom heavily-obfuscated (four layers of encoding) PHP webshell named down.php, derived from the open-source Chinese webshell kit BestShell. Confirmed access is then packaged and resold to downstream customers rather than monetized directly by the crew, consistent with an initial-access-broker business model.
The single highest-impact vulnerability in the chain is CVE-2026-48907, an improper access control flaw in the Joomla Content Editor (JCE) extension (versions 1.0.0 through 2.9.99.4) that lets an unauthenticated attacker create a rogue editor profile and use it to upload and execute arbitrary PHP, achieving unauthenticated remote code execution with a CVSS score of 10.0. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of 2026-06-19 under BOD 26-04; public exploit code is available and attacks are automated. In this campaign the JCE vector reached 560,000+ candidate targets but yielded only 77 confirmed successful compromises, indicating most sites had already patched or additional exploitation preconditions limited success. By contrast, CVE-2026-3844 — an unauthenticated arbitrary file-upload vulnerability in the Breeze Cache plugin (versions ≤2.4.4, 400,000+ active installs, developed by Cloudways) reachable through the plugin's fetch_gravatar_from_remote function when the 'Host Files Locally – Gravatars' option is enabled — was the volume leader, hitting 45,000+ targets and yielding 17,000+ confirmed backdoors, the bulk of the campaign's total compromise count.
For persistence beyond the initial down.php webshell, the crew deployed a second-stage toolchain consisting of a SNOWLIGHT dropper that loads VShell, a fileless WebSocket-based reverse-shell/RAT, directly into memory using the Linux memfd_create syscall. The resulting process disguises itself as [kworker/0:2] to blend in with legitimate kernel worker threads, which normally have no backing program file, command line, or open network sockets — making its presence a strong host-based detection signal. This SNOWLIGHT-to-VShell toolchain was first documented publicly by Sysdig in April 2025 in connection with the suspected Chinese state-nexus group UNC5174, previously known for using SUPERSHELL and for targeting F5 devices and other edge infrastructure for espionage and access-brokering. Sysdig and other researchers caution that VShell has since proliferated into general Chinese-speaking criminal forums, so its presence alone is not proof of state-actor involvement; this WP-SHELLSTORM operation is independently assessed as financially motivated (webshell brokerage) even though it reuses UNC5174-associated tradecraft. Godzilla, another Chinese-origin webshell/C2 management framework, was also found among the exposed operator's toolset.
A separate but related campaign thread, conducted by the same crew in May 2026 and documented i
Weaknesses (CWE)
CWE-284, CWE-434, CWE-306, CWE-287, CWE-22
Target sectors: technology, government administration, finance, ecommerce, logistics, gaming, electronics, news - media, small-business, hosting-providers
Target regions: Global, North America, Asia-Pacific, Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 19 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, HIGH, threat intelligence, cybersecurity, CVE-2026-3844, CVE-2026-48907, CVE-2026-1969, CVE-2020-36847, CVE-2026-6433, CVE-2025-7443, CVE-2026-0740, CVE-2025-12057, CVE-2025-7852, CVE-2020-25213, T1596.005, T1587.001, T1583.003, T1190, T1059.004, T1203, T1505.003, T1543, T1068, T1036.005