highMalware

NetScan/WPMagic CaaS: Mass WordPress Exploitation Panel Unmasked (wpmagic.net + xssnew.com)

Originally shared via @BreakGlassIntel thread on 2026-04-17.

InvestigatedApril 17, 2026PublishedApril 17, 2026

netscanwpmagiccaasxssnewunmasked

Classification: TLP:AMBER
Investigation ID: GHOST-2026-0417-NETSCAN
Date: 2026-04-17
Status: ACTIVE
Analyst: Breakglass Intelligence
Source Credit: @JustWantToQ1 (Voidwalker) -- initial tip

Executive Summary

NET_SCAN is a fully operational cybercrime-as-a-service (CaaS) platform operated by the actor xssNew (XSS.is forum, Premium member since July 2022). The platform consists of two interconnected web applications: netscan[.]info, the full-featured CaaS panel offering WordPress exploitation, remote shell access, SMS fraud, email spoofing, credential theft, and cryptomining deployment; and wpmagic[.]net, a spinoff panel branded "WP Magic Button" that focuses specifically on WordPress mass credential checking and code injection.

Both domains share a single Cloudflare account (NS pair: elias.ns.cloudflare.com / rita.ns.cloudflare.com), confirming common ownership. The operator communicates in Russian natively and maintains Telegram infrastructure under the handle @NET_SCAN_Admin.

Critical findings include unauthenticated API endpoints on netscan[.]info leaking 29 stolen SMS provider credentials, 18,862 stolen SMTP credentials, 104 exposed databases, and a full cryptominer deployment script with C2 configuration. The miner binary is not present in VirusTotal as of the investigation date.

The concept for the WordPress injection toolkit was stolen from security researcher Voidwalker (@JustWantToQ1), who publicly called out the theft on Twitter on April 15, 2026.

Actor Profile

Attribute	Value
Forum Handle	xssNew
Forum	XSS.is (Premium member)
Joined	July 21, 2022
Messages	46
Telegram	@NET_SCAN_Admin ("Founder and technical lead of the NET_SCAN project")
Bots	@NET_SCAN_bot (ScanBot), @netscan_bot
Private Channel	`t.me/+aikcAM_CK5NlZWRk`
Language	Russian (native) -- 100+ Cyrillic UI strings in source; English, Spanish, Chinese translations
Payment	USDT TRC20 to `TEcji7HtrDfc1kjTCWe7C6BzXzR7DTxoUX` (wallet empty/fresh at time of investigation)

The actor advertised "Magic Button - Project from the Net Scan" on XSS.is, offering WordPress credential checking and code injection as a service at three pricing tiers: $100, $300, and $500.

Infrastructure: wpmagic.net

Domain: wpmagic[.]net
Registrar: Ultahost Inc (registered 2026-04-10, WHOIS proxy claims New York, US)
Stack: Vue.js frontend + Express/Node.js backend behind Cloudflare
Certificate: Let's Encrypt E8, wildcard *.wpmagic.net, issued April 10, 2026
IPs (Cloudflare): 104.21.79.221, 172.67.171.145

Registration & Access

The platform offers open registration. During the investigation, account ghostrecon_1776388805 was created (assigned user ID 16). At the time of registration, only three prior accounts existed: admin, test, and test1 -- indicating the platform was freshly launched with minimal adoption.

The admin account was found to be disabled, likely locked by the operator after early Twitter exposure.

Core Functionality

WP Magic Button provides a WordPress mass exploitation workflow:

Credential Checking -- Bulk verification of WordPress login credentials against target sites
Four Injection Methods:
- Theme Editor (TE_INJECTED) -- Modifies active theme functions.php
- File Manager (FM_INJECTED) -- Uses File Manager plugin for file upload/modification
- Plugin Editor (PE_INJECTED) -- Edits existing plugin source code
- Plugin Loading (PU_INJECTED) -- Uploads and activates a malicious plugin
Campaign System -- Multi-threaded campaigns with configurable timeouts, proxy support, and custom injection scripts
Result Classification -- Sites categorized as Good, Injected, NoPlugin, or Bad
Clone Missed -- Retry feature for failed injection attempts

Available variables in injection scripts: $site_url, $username, $password

Pricing Model

Payment is handled through the /api/user/pay/init endpoint:

Tier	Price
Basic	$100
Standard	$300
Premium	$500

All payments accepted in USDT (TRC20) to wallet TEcji7HtrDfc1kjTCWe7C6BzXzR7DTxoUX.

Link to Parent Platform

The connection to netscan[.]info was established through hardcoded artifacts in the wpmagic[.]net dashboard source code:

Comment references to //t.me/NET_SCAN_Admin
Comment references to //netscan.info/
Sidebar banner element linking directly to netscan[.]info
Identical Cloudflare NS pair (elias + rita) confirming same account

Infrastructure: netscan.info

Domain: netscan[.]info
Stack: 3MB React application bundle + Node.js backend behind Cloudflare
IPs (Cloudflare): 104.21.91.253, 172.67.183.109

The parent platform is a comprehensive cybercrime-as-a-service offering with far greater capability than the wpmagic[.]net spinoff. Analysis of the React application bundle and API endpoint enumeration revealed the following modules:

Module Inventory

Module	API Path	Capability
jQuery Changer	`/api/jquery-changer/*`	WordPress mass injection (the "Magic Button" module)
Remote Shell	`/api/shell`, `/api/exec/run`	Execute commands on compromised hosts
AWS Credential Theft	`/api/credentials/aws/*`	Harvest and validate AWS credentials
cPanel/SSH Access	`/api/security/cpanel-access`, `/api/security/ssh-access`	Steal cPanel and SSH credentials
Sensitive File Scanner	`/api/sensitive-scan/*`	Discover databases and sensitive files on hosts
Database Operations	`/api/db`	Direct database manipulation
Email Database Extraction	`/api/security/db-email/*`	Extract email databases from compromised hosts
Email Spoofing	`/api/plugins/email-spoof/*`	SMTP-based email spoofing
SMS Fraud	`/api/sms/*`	Send SMS, manage numbers, track provider stats
Bulk Email Campaigns	`/api/mail/campaign/send`	Mass email distribution
AI Phishing Emails	`/api/email/ai-generate`	LLM-generated phishing content
AI Assistant (Luna)	`/admin/ai-chat/stream`	Operator AI assistant
Crypto Mining	`/api/miners/*`	XMRig deployment and management
Telegram Automation	`/api/plugins/telegram-autoreply/*`	Automated Telegram bot responses
WhatsApp Automation	`/api/plugins/whatsapp-autoreply/*`	Automated WhatsApp responses
Telerik Exploit Builder	`/api/telerik/build-dll`	CVE exploit DLL generation for Telerik
Text-to-Speech	`/api/tts/speak`	Voice synthesis for vishing attacks
Referral System	`/api/ref/invite`, `/api/ref/track`	Affiliate tracking for customer acquisition

AI Integration

The platform integrates multiple LLM providers under the internal name "Luna":

Groq -- llama-3.1-8b, llama-3.3-70b
OpenAI -- GPT models
Anthropic -- Claude models
Google -- Gemini models

This AI layer is used for phishing email generation and operator assistance.

Credential Artifact

The production JavaScript bundle contains the hardcoded credential artifact @ssw0rd123!, likely a default or development password that was not stripped before deployment.

Unauthenticated Data Leaks

Multiple API endpoints on netscan[.]info return sensitive operational data without requiring any authentication. These represent both intelligence opportunities and indicators of the operator's poor security practices.

1. Stolen SMS Provider Credentials

Endpoint: /api/sms/credentials
Exposed: 29 stolen Twilio, Vonage, and MSG91 API credentials with full Account SIDs

Affected organizations include:

Organization	Domain	Sector
HealthUB Africa	myhealth-dev.healthubafrica.com	Healthcare (Africa)
Neptik Authenticator	api.authenticator.neptik.com	Authentication services
PillPharm	api.pillpharm.co.uk	Pharmacy (UK)
PTPS	ptps.com.pk	Organization (Pakistan)
ePalengke LGU	epalengke-admin.lguapps.com	Government (Philippines)
DeliveryMax	deliverymax.co.uk	Delivery services (UK)
Vine Healthcare	portal.vinehealthcareservices.com	Healthcare
+ 22 more	--	Various sectors

2. SMS Provider Statistics

Endpoint: /api/sms/providers/stats

Provider	Total Credentials	Valid
Twilio	690	58
Vonage	70	10
MSG91	24	10
Infobip	--	--
Plivo	--	--
BulkSMS	--	--

3. Exposed Database Inventory

Endpoint: /api/sensitive-scan/databases
Exposed: 104 databases discovered by the platform's scanning operations

100 MongoDB instances
4 PostgreSQL instances
Targets include universities, AI companies, fintech platforms, and e-commerce sites

4. Stolen Email Credentials

Endpoint: /api/mail/providers/stats

Type	Total	Validated
SMTP credentials	18,862	942
SendGrid API keys	536	43
Mailgun API keys	227	16
Resend API keys	217	52

5. Miner Installation Script

Endpoint: /api/miners/agent/install.sh
Full deployment script exposed (see Cryptominer Deployment section).

6. Scanner Operational Data

Endpoints: /api/sensitive-scan/status, /api/sensitive-scan/logs
Real-time scanner session status and historical scan logs exposed without authentication.

Cryptominer Deployment

The platform deploys a custom cryptomining agent to compromised hosts. The full installation script was recovered from the unauthenticated endpoint /api/miners/agent/install.sh.

Architecture

Component	Detail
Agent Binary	`multimmm-user` (custom Go binary)
Miner	XMRig (Monero)
C2 Protocol	WebSocket (`wss://netscan.info/api/miners/ws/agent`)
Persistence	systemd service (`multimmm-user.service`), auto-restart on failure
Agent SHA256	`0a1c301ddbf20dfdf4cd5905f1bba8ffea85c94af2849971c9701472ff059e1c`
XMRig SHA256	`1821cfbf97c531534a9c11dc30f5f1dc1b32071ab5d5d7326767ee9607d5e907`

API Keys (Embedded in Install Script)

6ae42b2642631533e1e65ba7cdc95cad0f9d9206b787ca1f2ca48a8d5d18f3d7
0d4c7e56d15d920592dd93ba35d18bd08d102951d6039ff219710f0c29c72ff0

VirusTotal Status

The multimmm-user agent binary hash (0a1c301d...) was not found in VirusTotal at the time of investigation, indicating this is a custom or newly compiled binary without prior detection coverage.

Stolen Concept Attribution

On April 15, 2026, Twitter user @JustWantToQ1 (known as Voidwalker) publicly accused the NET_SCAN operator of stealing their concept:

"someone just took my idea of making a js inject exploit kit for mass spreading clickflix campaigns and started selling it for bullshit '100$ - 300$ - 500$' packages after running it through an AI"

Voidwalker then directly linked to https://wpmagic[.]net/login, adding:

"I hope your service and all your customers get rekt just because"

This public callout is what led to the initial discovery and investigation of the wpmagic[.]net platform. The AI-generated nature of the code is supported by the codebase characteristics observed during analysis.

Vulnerabilities Found

Five security weaknesses were identified in the wpmagic[.]net platform during investigation:

#	Vulnerability	Severity	Detail
1	Password Change Without Verification	High	`POST /api/user/password` does not require the current password
2	Authorization Bypass on Proxy Lists	Medium	Proxy list creation at `/api/proxy` bypasses subscription tier checks
3	Missing CORS Headers	Medium	No CORS policy enables cross-site request forgery
4	Weak Session Security	Medium	64-char hex SHA-256 session cookie lacks `Secure` flag
5	Internal Service Exposure	Low	FlareSolverr internal URL (`http://flaresolverr:8191`) leaked via `/api/flaresolverr`

Indicators of Compromise

Network Indicators

Type	Indicator	Context
Domain	`wpmagic[.]net`	WordPress injection panel
Domain	`netscan[.]info`	Full CaaS platform
IPv4	`104.21.79.221`	wpmagic[.]net (Cloudflare)
IPv4	`172.67.171.145`	wpmagic[.]net (Cloudflare)
IPv4	`104.21.91.253`	netscan[.]info (Cloudflare)
IPv4	`172.67.183.109`	netscan[.]info (Cloudflare)
URL	`wss://netscan[.]info/api/miners/ws/agent`	Miner C2 WebSocket
URL	`http://flaresolverr:8191`	Internal CAPTCHA solver

Host Indicators

Type	Indicator	Context
SHA256	`0a1c301ddbf20dfdf4cd5905f1bba8ffea85c94af2849971c9701472ff059e1c`	multimmm-user agent binary
SHA256	`1821cfbf97c531534a9c11dc30f5f1dc1b32071ab5d5d7326767ee9607d5e907`	Bundled XMRig binary
Service Name	`multimmm-user`	systemd persistence service
Process Name	`multimmm-user`	Agent process
API Key	`6ae42b2642631533e1e65ba7cdc95cad0f9d9206b787ca1f2ca48a8d5d18f3d7`	Miner agent key
API Key	`0d4c7e56d15d920592dd93ba35d18bd08d102951d6039ff219710f0c29c72ff0`	Miner agent key
Credential	`@ssw0rd123!`	Hardcoded in production bundle

Actor Indicators

Type	Indicator	Context
Telegram	`@NET_SCAN_Admin`	Operator account
Telegram	`@NET_SCAN_bot`	ScanBot
Telegram	`@netscan_bot`	Secondary bot
Telegram	`t.me/+aikcAM_CK5NlZWRk`	Private channel invite
Forum	xssNew (XSS.is)	Premium member, 46 messages
Wallet	`TEcji7HtrDfc1kjTCWe7C6BzXzR7DTxoUX`	USDT TRC20 payment

Certificate Indicators

Domain	Issuer	Note
`*.wpmagic.net`	Let's Encrypt E8	Wildcard, issued April 10, 2026
`netscan.info`	Cloudflare	Behind Cloudflare proxy

Cloudflare NS Pair (Shared Account)

elias.ns.cloudflare.com
rita.ns.cloudflare.com

MITRE ATT&CK Mapping

Technique ID	Name	Platform Usage
T1190	Exploit Public-Facing Application	WordPress credential brute-force and injection
T1059.004	Command and Scripting Interpreter: Unix Shell	Remote shell module (`/api/shell`, `/api/exec/run`)
T1552.001	Unsecured Credentials: Credentials in Files	SMS API key harvesting, SMTP credential theft
T1496	Resource Hijacking	XMRig cryptominer deployment
T1583.001	Acquire Infrastructure: Domains	wpmagic[.]net, netscan[.]info
T1583.006	Acquire Infrastructure: Web Services	Cloudflare CDN and Workers
T1588.002	Obtain Capabilities: Tool	Stole Voidwalker's concept, AI-generated code
T1566.002	Phishing: Spearphishing Link	Email spoofing module with AI-generated content
T1078	Valid Accounts	WordPress credential checking and reuse
T1505.003	Server Software Component: Web Shell	PHP injection into WordPress themes/plugins
T1053.003	Scheduled Task/Job: Systemd	Miner persistence via systemd service
T1027	Obfuscated Files or Information	Packed/stripped miner binary
T1071.001	Application Layer Protocol: Web Protocols	WebSocket C2 channel for miner
T1048	Exfiltration Over Alternative Protocol	SMS credential exfiltration via stolen API keys

Detection Signatures

Suricata / Snort

alert http $HOME_NET any -> any any (msg:"NetScan Miner Agent Install"; content:"multimmm-user"; http_uri; sid:2026041710; rev:1;)
alert http $HOME_NET any -> any any (msg:"NetScan Miner WebSocket C2"; content:"netscan.info/api/miners/ws/agent"; sid:2026041711; rev:1;)
alert http $HOME_NET any -> any any (msg:"NetScan jQuery Changer Injection"; content:"jquery-changer"; http_uri; sid:2026041712; rev:1;)
alert dns $HOME_NET any -> any any (msg:"NetScan CaaS Domain"; dns.query; content:"netscan.info"; sid:2026041713; rev:1;)
alert dns $HOME_NET any -> any any (msg:"WPMagic Panel Domain"; dns.query; content:"wpmagic.net"; sid:2026041714; rev:1;)

Splunk Queries

index=proxy (dest_host="netscan.info" OR dest_host="wpmagic.net")
| stats count by src_ip, dest_host, uri_path

index=sysmon EventCode=1 (CommandLine="*multimmm-user*" OR CommandLine="*xmrig*")
| table _time, Computer, User, CommandLine, ParentCommandLine

index=linux sourcetype=syslog "multimmm-user" OR "systemctl.*multimmm"

YARA Rules

rule NetScan_Miner_Agent {
    meta:
        description = "NetScan CaaS custom crypto miner agent"
        author = "Breakglass Intelligence"
        date = "2026-04-17"
        tlp = "AMBER"
        reference = "GHOST-2026-0417-NETSCAN"
    strings:
        $s1 = "multimmm-user" ascii
        $s2 = "netscan.info/api/miners" ascii
        $s3 = "6ae42b2642631533e1e65ba7cdc95cad" ascii
        $s4 = "0d4c7e56d15d920592dd93ba35d18bd0" ascii
    condition:
        uint32(0) == 0x464c457f and any of them
}

rule WPMagic_Injection_Marker {
    meta:
        description = "WP Magic Button WordPress injection markers"
        author = "Breakglass Intelligence"
        date = "2026-04-17"
        tlp = "AMBER"
        reference = "GHOST-2026-0417-NETSCAN"
    strings:
        $te = "TE_INJECTED" ascii
        $fm = "FM_INJECTED" ascii
        $pe = "PE_INJECTED" ascii
        $pu = "PU_INJECTED" ascii
        $wp = "wpmagic" ascii nocase
        $ns = "netscan" ascii nocase
    condition:
        any of them
}

rule NetScan_FlareSolverr_Config {
    meta:
        description = "NetScan platform FlareSolverr configuration leak"
        author = "Breakglass Intelligence"
        date = "2026-04-17"
        tlp = "AMBER"
        reference = "GHOST-2026-0417-NETSCAN"
    strings:
        $fs = "flaresolverr:8191" ascii
        $ns = "netscan" ascii nocase
    condition:
        all of them
}

Recommendations

Immediate Actions

DNS/Proxy Blocking -- Block netscan[.]info and wpmagic[.]net at all DNS resolvers, web proxies, and firewall appliances.
Host Hunting -- Search all Linux hosts for the multimmm-user systemd service and any running xmrig processes. Check for the service file at /etc/systemd/system/multimmm-user.service.
WordPress Audit -- All WordPress administrators should:
- Inspect functions.php in the active theme for unauthorized modifications
- Review the installed plugin list for unknown or recently added plugins
- Check File Manager plugin activity logs for suspicious file operations
- Rotate all WordPress admin credentials

Notification Actions

SMS Provider Notification -- The 29 stolen API credentials (Twilio, Vonage, MSG91) should be reported to the respective providers for immediate revocation. Affected organizations (HealthUB Africa, PillPharm, ePalengke LGU, and others) should be notified.
Database Exposure Notification -- The 104 exposed databases (primarily MongoDB) identified by the platform's scanner should be reported to their respective operators.
Cloudflare Abuse Report -- File an abuse report with Cloudflare for both domains, noting they share a single account (NS pair: elias + rita) and are used for active cybercrime operations.

Law Enforcement

Forum Actor Reporting -- Report xssNew (XSS.is Premium member, joined July 2022, 46 messages) to FBI IC3 and Europol EC3 with full IOC package.
Wallet Monitoring -- Monitor USDT TRC20 wallet TEcji7HtrDfc1kjTCWe7C6BzXzR7DTxoUX for cashout transactions that may reveal exchange accounts or additional infrastructure.

Investigation Files

File	Description
`README.md`	This investigation report
`CLIENT_REPORT.html`	Client-ready HTML report
`iocs.csv`	Machine-readable IOC list
`yara_rules.yar`	YARA detection rules
`stix_bundle.json`	STIX 2.1 threat intelligence bundle

Timeline

Date	Event
2022-07-21	xssNew joins XSS.is forum (Premium member)
2026-04-10	wpmagic[.]net domain registered via Ultahost Inc
2026-04-10	Let's Encrypt wildcard certificate issued for `*.wpmagic.net`
2026-04-15	@JustWantToQ1 (Voidwalker) publicly accuses NET_SCAN of stealing concept
2026-04-15	Voidwalker links to wpmagic[.]net login page on Twitter
2026-04-16	Investigation initiated by Breakglass Intelligence
2026-04-17	Full platform analysis completed, unauthenticated leaks documented
2026-04-17	Report generated

Methodology

This investigation followed the GHOST offensive intelligence methodology:

Initial Tip -- Voidwalker's Twitter callout identified wpmagic[.]net
Open Registration -- Account created on wpmagic[.]net to assess platform capabilities
Source Code Analysis -- Vue.js/React bundles analyzed for hardcoded references and API endpoints
Infrastructure Pivoting -- wpmagic[.]net source comments led to netscan[.]info discovery
DNS Correlation -- Shared Cloudflare NS pair confirmed single-operator infrastructure
API Enumeration -- Systematic testing of discovered endpoints revealed unauthenticated data leaks
Artifact Collection -- Miner binaries, API keys, stolen credentials, and forum posts documented
IOC Generation -- Network, host, and actor indicators compiled for defensive use

Investigation by Breakglass Intelligence.
Report generated: 2026-04-17
GHOST-2026-0417-NETSCAN