WP-SHELLSTORM: Mass Exploitation Campaign Targets WordPress and Joomla

Article Content
In the high-stakes arena of global cybercrime, the line between an incredibly sophisticated operation and a total structural collapse is often drawn by a single operational security (OPSEC) oversight. On July 10, 2026, security researchers laid bare the inner workings of a massive, automated web-hacking campaign tracked as WP-SHELLSTORM, which has systematically mapped and targeted vulnerabilities in more than 1.4 million sites globally. While the campaign’s scale and automated orchestration represent a masterclass in modern adversary efficiency, its ultimate downfall was a rudimentary error: the threat operators left an unauthenticated Python SimpleHTTPServer directory running wide open on their US-based staging server for 22 consecutive days. This singular vulnerability enabled threat intelligence firms SOCRadar and Ctrl-Alt-Intel to harvest over 800 megabytes of highly sensitive staging materials, detailing target lists, deployment scripts, command histories, and pre-packaged webshell payloads.
Inside the Mechanics of a Webshell Access Brokerage
The WP-SHELLSTORM campaign represents a highly organized Webshell Access Brokerage Operation (WABO). Operating as middle-tier service providers within the thriving dark web economy, these financially motivated, Chinese-speaking threat actors do not typically execute the final stage of an attack—such as deploying ransomware or exfiltrating user databases. Instead, their business model revolves
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


