TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Azure-Hosted Scanning Cluster Launches WordPress Webshell Discovery Campaign

2026-04-15 · Read original ↗

ATT&CK techniques detected

18 predictions
T1190Exploit Public-Facing Application
98%
“its appearance is notable because the vulnerability is nearly six years old, suggesting threat actors are cycling back to target unpatched mdm infrastructure, which often holds privileged access to enterprise mobile fleets and sensitive configuration data. cve - 2017 - 16894 drop…”
T1190Exploit Public-Facing Application
92%
“united kingdom our honeynet sensors in the united kingdom face a diverse attack mix weighted toward web application exploitation and remote code execution. a distinguishing characteristic is the frequency of server - side request forgery and injection attempts targeting web - fac…”
T1190Exploit Public-Facing Application
87%
“forgotten, webshells. azure - hosted scanning cluster launches wordpress webshell discovery campaign by grouping vulnerability exploit attempts into sessions, we have been able to normalize the statistics that we report on when analyzing attacks. some attacks require multiple ste…”
T1588.006Vulnerabilities
62%
“9841 as the most targeted vulnerability, despite only appearing in the data four months ago. cve - 2017 - 9841 remains persistently exploited across all six months, totaling 100, 907 attempts, though its march figure of 12, 480 is well below its november peak of 27, 075. cve - 20…”
T1505.003Web Shell
59%
“are still accessible at the predictable paths where cve - 2018 - 14028 deposits them. threat assessment this activity represents a sustained, cloud - hosted webshell discovery campaign with a clear operational model : - infrastructure : the operator provisions scanning nodes excl…”
T1190Exploit Public-Facing Application
58%
“path / uploads / 2021 / 02 / follows wordpress ' s media upload directory structure, indicating the scanners are searching for webshells planted during a specific earlier campaign, potentially dating back to early 2021. multipurpose scanning infrastructure cross - referencing the…”
T1190Exploit Public-Facing Application
57%
“webshell scanning campaign this near - total concentration within a single cloud provider ' s address space strongly suggests a single operator provisioning cloud instances at scale for coordinated scanning, rather than independent actors coincidentally choosing the same platform…”
T1190Exploit Public-Facing Application
56%
“are still accessible at the predictable paths where cve - 2018 - 14028 deposits them. threat assessment this activity represents a sustained, cloud - hosted webshell discovery campaign with a clear operational model : - infrastructure : the operator provisions scanning nodes excl…”
T1505.003Web Shell
56%
“plugin " as if it were a zip archive. the extraction fails because the file is not a zip, but critically, the uploaded php file is not cleaned up. it remains on disk in a predictable location within the wp - content / uploads / or wp - content / upgrade / directory. - remote code…”
T1588.006Vulnerabilities
54%
“608, 877, a 24. 6 % increase that positions it as the second - highest category for the month. command execution also climbed to 608, 880 ( up 9. 6 % ), while predictable resource location dipped slightly by 7. 3 % to 685, 078. trojan, backdoor, and spyware detections increased 3…”
T1190Exploit Public-Facing Application
48%
“operator who established and validated their scanning infrastructure in january – february and then scaled up operations in march. top cves for march 2026 table 6 : top 10 cves for march 2026 trending cves for march cve - 2025 - 55182 climbing to position 4 with a near - doubling…”
T1190Exploit Public-Facing Application
48%
“9841 as the most targeted vulnerability, despite only appearing in the data four months ago. cve - 2017 - 9841 remains persistently exploited across all six months, totaling 100, 907 attempts, though its march figure of 12, 480 is well below its november peak of 27, 075. cve - 20…”
T1190Exploit Public-Facing Application
44%
“azure - hosted scanning cluster launches wordpress webshell discovery campaign introduction just as we continually analyze the threat landscape, we also look to broaden and improve our telemetry to provide the best possible insights from our datasets. with this, in this article w…”
T1580Cloud Infrastructure Discovery
44%
“##shell probing representing a specialized module within a general - purpose scanning toolkit. mitre att & ck mapping table 4 : azure threat actor mitre att & ck map trend context : a clear escalation pattern historical comparison reveals a deliberate scaling of this campaign ove…”
T1588.006Vulnerabilities
39%
“azure - hosted scanning cluster launches wordpress webshell discovery campaign introduction just as we continually analyze the threat landscape, we also look to broaden and improve our telemetry to provide the best possible insights from our datasets. with this, in this article w…”
T1190Exploit Public-Facing Application
37%
“, 807 to 710, 596, suggesting the activation of new attack infrastructure in canadian ip space. singapore more than doubled its output to 1, 303, 632 ( up 105. 5 % ), while france showed a more modest 8. 7 % increase to 943, 888. the broad increases across all five top source cou…”
T1588.006Vulnerabilities
37%
“path / uploads / 2021 / 02 / follows wordpress ' s media upload directory structure, indicating the scanners are searching for webshells planted during a specific earlier campaign, potentially dating back to early 2021. multipurpose scanning infrastructure cross - referencing the…”
T1190Exploit Public-Facing Application
32%
“plugin " as if it were a zip archive. the extraction fails because the file is not a zip, but critically, the uploaded php file is not cleaned up. it remains on disk in a predictable location within the wp - content / uploads / or wp - content / upgrade / directory. - remote code…”

Summary

Sensor Intel Series: March 2026 CVE Trends