Introduction
In July 2026, the security community gained a rare, unobstructed view into a massive cybercrime operation due to a significant operational security failure by the threat actors. A server used by the crew behind "WP-SHELLSTORM" was left exposed on the internet for three weeks without authentication. This leak provided researchers with access to hacking tools, activity logs, and a target list containing over 1.4 million websites.
While the number of confirmed compromises is lower than the total targets, the exposed data reveals a highly automated mass-hacking operation focused on WordPress instances. The attackers are systematically deploying webshells to maintain persistence, likely for SEO spam, redirect fraud, or serving malware. For defenders, this is not a theoretical risk; the internal logs confirm active exploitation. Immediate action is required to identify webshells and close the security gaps allowing this initial access.
Technical Analysis
Threat Actor: WP-SHELLSTORM (tracked name based on internal tooling discovered on the exposed server).
Affected Products: WordPress CMS (all versions potentially vulnerable depending on plugin/theme posture).
CVE Identifiers: No specific CVE was cited in the source reporting for this campaign; however, the attackers likely leverage vulnerabilities in WordPress plugins or themes published in 2025-2026 or weak credentials.
Attack Chain:
- Reconnaissance: The exposed server contained target lists, indicating the actors use automated scanners to identify WordPress hosts.
- Initial Access: The operation exploits vulnerabilities in third-party plugins/themes or utilizes brute-force attacks against administrative credentials.
- Execution & Persistence: Upon successful access, the attackers deploy PHP-based webshells (backdoors). These are often obfuscated and placed in writable directories like
/wp-content/uploads/to blend in with legitimate media files. - Command & Control (C2): The webshells receive commands from the actor's infrastructure, allowing for remote code execution (RCE) directly on the web server.
Exploitation Status: Confirmed active exploitation. The logs found on the exposed server detail successful intrusions and subsequent webshell deployment against live targets.
Detection & Response
The following detection mechanisms focus on the primary persistence mechanism observed in this campaign: the creation of PHP webshells in unexpected directories and suspicious CLI execution.
SIGMA Rules
---
title: WP-SHELLSTORM Webshell Creation in Uploads Directory
id: 8c4f3d21-1a9e-4b5c-9e2d-1f3b4c5d6e7f
status: experimental
description: Detects the creation of PHP files in the WordPress uploads directory, a common location for webshell persistence in mass compromises.
references:
- https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/wp-content/uploads/'
TargetFilename|endswith: '.php'
condition: selection
falsepositives:
- Legitimate plugins generating cache files (rare in uploads)
- Misconfigured upload forms allowing PHP execution
criticality: high
---
title: Suspicious PHP CLI Execution
id: 9d5e4f32-2b0f-5c6d-0f3e-2g4c5d6e7f8g
status: experimental
description: Detects execution of PHP via command line with code execution flags (-r) often used by webshells or automated scripts.
references:
- https://thehackernews.com/2026/07/exposed-hacker-server-reveals-wp.html
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/php'
CommandLine|contains: '-r'
condition: selection
falsepositives:
- Administrative scripts using php -r for updates
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for the creation of PHP files within the WordPress uploads directory, a key indicator of the WP-SHELLSTORM methodology.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains @"/wp-content/uploads/"
| where FileName endswith ".php"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, SHA256
| order by Timestamp desc
Velociraptor VQL
Hunt artifact to locate PHP files deposited in the uploads directory, which should typically contain images or media, not executable code.
-- Hunt for PHP files in WordPress uploads directories
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='/var/www/html/**/wp-content/uploads/**/*.php')
WHERE Mtime > ago("-7d")
Remediation Script (Bash)
A bash script to scan for common webshell signatures and suspicious files in WordPress uploads directories. This should be run as root or the web server user.
#!/bin/bash
# WP-SHELLSTORM Remediation Script
# Scans for common webshell patterns in wp-content/uploads
UPLOAD_DIR="/var/www/html/wp-content/uploads"
LOG_FILE="/tmp/wp_shellstorm_scan.log"
# Common webshell functions/strings to scan for
PATTERNS=("eval(" "base64_decode" "gzinflate" "str_rot13" "assert(" "create_function" "passthru" "shell_exec" "system(" "exec(" "popen(" "proc_open")
echo "Starting scan for WP-SHELLSTORM indicators in $UPLOAD_DIR..." | tee -a "$LOG_FILE"
# Find .php files in uploads directory
find "$UPLOAD_DIR" -type f -name "*.php" -print0 | while IFS= read -r -d '' file; do
echo "Checking: $file" | tee -a "$LOG_FILE"
# Check for suspicious strings
for pattern in "${PATTERNS[@]}"; do
if grep -qi "$pattern" "$file"; then
echo "[ALERT] Suspicious pattern '$pattern' found in $file" | tee -a "$LOG_FILE"
fi
done
done
echo "Scan complete. Review $LOG_FILE for details."
Remediation
- Identify and Remove Webshells: Use the detection script above to locate malicious PHP files. Do not simply delete them; analyze the content to understand the scope of the breach. Restore affected files from a clean backup if available.
- Update and Patch: Ensure WordPress core, all plugins, and themes are updated to their latest versions. Pay special attention to any plugins known to have vulnerabilities in 2025-2026.
- Credential Reset: Assume all administrative credentials have been compromised. Force a password reset for all users with administrative privileges and enforce strong password policies and Multi-Factor Authentication (MFA).
- Access Control: Verify file permissions. The
wp-content/uploads/directory should never have execute permissions for scripts. Ensure.htaccessornginx.confrules explicitly deny the execution of PHP in upload directories. - Integrity Monitoring: Implement File Integrity Monitoring (FIM) to alert on any future creation or modification of PHP files in the
wp-contentdirectory tree.
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.