137.175.93[.]126 sat on the public internet with no password for 22 days, and inside its files lay a mass-hacking operation's playbook — scans, exploits, webshells, command history, and target lists that named more than 1.4 million domains.
The open server at 137.175.93[.]126
SOCRadar's threat team found the exposed US‑based rented server on June 11, 2026; Ctrl‑Alt‑Intel had also analyzed the same directory after finding it on Hunt.io and published on June 22. The directory contained roughly 800MB across 434 files — webshells, exploit scripts, scan results, typed command history, and command‑and‑control settings. The operator had started a simple Python web server to move files and left it running for 22 days. When the crew noticed it had been observed, sometime between July 2 and July 4, it deleted some log lines — three weeks after first exposing the data.
WP-SHELLSTORM's toolkit: down.php, SNOWLIGHT, and VShell
The operation, tracked as WP‑SHELLSTORM, acted as a webshell access broker: break into sites at scale, plant a webshell backdoor, and package access for resale. The main backdoor file, down.php, was heavily obfuscated (four layers) and appears derived from an open‑source Chinese webshell called BestShell. Once installed it could manage files, run commands, open reverse shells, scan the network, and enumerate host security software.
For persistent remote access the crew used a SNOWLIGHT dropper to install VShell, a backdoor that disguises its process name as [kworker/0:2] to blend with kernel thread names. Sysdig previously linked a SNOWLIGHT‑to‑VShell chain to the suspected Chinese state group UNC5174 in April 2025; the exposed server here also contained tooling and artifacts common in Chinese‑speaking criminal circles.
Targets, scale, and what was actually compromised
The target lists totaled more than 1.4 million domains, but that number is the line count of lists, not confirmed compromises. The single largest list file named 587,034 Joomla targets. Where the crew fired exploits, their own counts and independent researchers diverged:
- The Breeze caching plugin bug (CVE‑2026‑3844) was fired at more than 45,000 targets and, by the crew's count, backdoored over 17,000 sites — though that exploit only works when a non‑default "Host Files Locally – Gravatars" setting is enabled.
- A Joomla bug was fired at more than 560,000 targets but landed on only 77 of them, illustrating how scan lists differ from successful compromises.
- Ctrl‑Alt‑Intel's deduplicated count found 25,195 sites with confirmed or validated compromise evidence; SOCRadar, counting active webshells, put the live figure at 5,700‑plus.
The toolkit covered 27 known flaws overall, with a handful doing most of the work. The operation also left a FOFA config file and unedited command history that made tracing far easier for researchers.
Earlier May campaign: Nacos exploitation and stolen cloud credentials
Files on the same server show a quieter, earlier May 2026 campaign against corporate Java systems. SOCRadar found that campaign pulled 613 configuration files from 11 systems across nine companies in fintech, e‑commerce, logistics, gaming, and electronics. The haul included cloud login keys for AWS, Alibaba Cloud, Oracle, Tencent, and DigitalOcean; database passwords; and Alipay RSA private keys.
The May campaign leveraged a well‑known Nacos bug (CVE‑2021‑29441) that can bypass login by faking a single web header. SOCRadar reads the sequence as deliberate: harvest high‑value credentials first, then pivot weeks later to volume backdoor work — a funding round before scaling up.
What this means for WordPress and Joomla administrators, cloud operators, and incident responders
- WordPress and Joomla administrators: Patch Breeze (CVE‑2026‑3844, fixed in 2.4.5) if the non‑default "Host Files Locally – Gravatars" setting is enabled. Treat the Joomla JCE flaw (CVE‑2026‑48907, fixed in 2.9.99.5) as urgent — it is maximum‑severity and on CISA's Known Exploited Vulnerabilities list. Check and patch other listed plugins: ThemeREX Addons (CVE‑2026‑1969), Simple File List (valid ID CVE‑2020‑36847), Custom CSS JS PHP (CVE‑2026‑6433), BerqWP (CVE‑2025‑7443), Ninja Forms uploads (CVE‑2026‑0740), WavePlayer (CVE‑2025‑12057), WPBookit (CVE‑2025‑7852), and WP File Manager (CVE‑2020‑25213).
- Cloud operators and application owners: For Nacos, upgrade to 2.2.1 or later and enable authentication (nacos.core.auth.enabled=true). If an instance was ever exposed, rotate every credential that lived in it, not just the obvious ones. Close unauthenticated XXL‑Job executor endpoints and disable /actuator/heapdump in production Spring Boot instances.
- Incident responders and hunters: Search for webshell filename patterns revealed in the files — for example .bd.php, .wp‑log.php, and .brq‑*.php — and check for impostor kernel threads named [kworker/X:Y]. A real kernel thread has no /proc//exe, no command line, and no network sockets; any [kworker] with those traits is likely malicious. Block known infrastructure: 137.175.93[.]126, 43.108.17[.]80, and the domain xs.xxooonline[.]eu[.]cc.
WP‑SHELLSTORM is not notable for exotic zero‑days but for ordinary tradecraft run at scale: public exploits, automated scanning, and massive target lists were enough to compromise tens of thousands of sites — and those details are public only because the crew left a server unlocked. The exposed artifacts tie a high‑volume campaign to an earlier credential theft effort and leave open who downloaded the tools (one Taiwan IP made more than 42,000 requests) and which of the named operators — tance, chen‑kk, chenyk — are customers, partners, or something else.




