One Dead IP, 466 Users, 17 Servers: How a Vanished Open Directory Led to a Chinese Offensive Platform With Active French and Vietnamese Targets
From a dead opendir to x5s.us — XSS management, Google dorking, backup scanning, and a fabricated Western identity
One IP address. Already dead. The server had been torched within hours of public exposure -- every port filtered, every service killed. Most investigators would have moved on. We didn't.
What started as a cold tip about a WordPress exploit staging server spiraled into the discovery of X5S SECURE COMMAND -- a Chinese-language offensive security platform with 466 registered users, 1,944 stored payloads, 17 Tencent Cloud nodes spun up in a single 24-hour window, a Google dorking engine actively hunting SQL injection targets across French and Vietnamese websites, and a backup file scanner that had already catalogued exposed archives on at least three French companies. The operator hid behind a fabricated Scottish identity, compartmentalized infrastructure across three separate Cloudflare accounts, and ran the entire operation from the Asia/Shanghai timezone.
This is how one dead IP became a full infrastructure map.
The Tip
On April 2, 2026, security researcher German Fernandez (@1ZRR4H) tweeted about an open directory at 111.90.158[.]78:8888. It contained exploit code, target lists of WordPress sites, and a reference to "CVE-2026-4257" -- a CVE identifier that doesn't exist in the National Vulnerability Database. We'll come back to that.
The server was hosted on Shinjiru in Malaysia. By the time we pointed GHOST at it, every port was filtered. The operator had been watching. Within hours of the tweet, they'd killed the staging server completely -- FTP, HTTP, HTTPS, MSSQL, the open directory on 8888, all of it. Gone.
A dead end? Not quite.
Pivot: From a Corpse to a Kingdom
The server was dead, but Shodan's historical data remembered what it had been. Among the hostnames associated with 111.90.158[.]78, one stood out: wpscan[.]x5s[.]us. A WordPress vulnerability scanner, hosted on the same IP that had been staging WordPress exploits. Now hidden behind Cloudflare, returning a 521 error -- origin server unreachable. Because the origin server was the one they'd just killed.
That subdomain was the thread. Pull it, and the entire fabric unravels.
DNS enumeration on x5s[.]us revealed not a simple domain but an entire offensive platform: bf[.]x5s[.]us, cs[.]x5s[.]us, google[.]x5s[.]us, adminer[.]x5s[.]us, wp[.]x5s[.]us, chat[.]x5s[.]us, and seventeen numbered nodes -- kh1 through kh17 -- under windsurf[.]x5s[.]us. Each subdomain was a different tool. Each tool served a different phase of the attack chain.
The Phantom CVE
The original tweet referenced "CVE-2026-4257." That identifier doesn't exist. The actual vulnerability is CVE-2024-48042 -- a template injection flaw in the WordPress Contact Form by Supsystic plugin (versions <= 1.7.28) that leads to remote code execution. CVSS 9.1. Critical.
What makes this significant: no public proof-of-concept existed for CVE-2024-48042 before this exposure. The exploit code sitting in that open directory may have been the first working PoC to leak publicly. The "CVE-2026-4257" designation appears to be an internal lab identifier -- the operator's own cataloguing system for vulnerabilities they've weaponized.
The vulnerability was reported by researcher Hakiduck through Patchstack in September 2024 and patched in version 1.7.29. But the open directory contained a working exploit for the pre-patch version, alongside lists of WordPress sites presumably identified as running the vulnerable plugin.
The Platform: SECURE COMMAND
The main site at x5s[.]us brands itself "SECURE COMMAND" with the tagline "Spectral Recon." Its JSON-LD metadata self-describes as a "SecurityApplication" by the "SECURE COMMAND Team." The interface is entirely in Chinese (zh-CN) -- every menu, every label, every article in its knowledge base. Built on PHP 8.2.28 with a layui frontend framework popular in Chinese web development, Tailwind CSS, and Vue.js 3.
The platform's core offering is XSS payload management: create payloads, deploy them, monitor when they fire. It's XSS-as-a-service with a professional UI. But XSS management is just the beginning.
The platform includes a suite of offensive tools accessible through subdomains:
The Backup File Scanner (bf[.]x5s[.]us) is a "Backup File Scanning Management System" -- or, in the original Chinese, a "BeiTu WenJian SaoMiao GuanLi XiTong." It automates the discovery of exposed backup files on target websites: .sql dumps, .zip archives, .tar.gz packages, .tgz files. The kind of files that contain database credentials, source code, and customer data. The scanner checks common naming patterns -- domain.zip, domain.tar.gz, domain.sql -- and reports which ones return HTTP 200 or 206, meaning they're available for download.
The Google Dorking Engine (google[.]x5s[.]us) is a distributed Google scraping control center. It runs what the interface calls a "ZhongJi Ban YinQing" -- an "Ultimate Engine" -- for bulk Google searches using attacker-crafted dork queries. The task log, exposed without authentication, showed active operations targeting French and Vietnamese websites with SQL injection reconnaissance dorks:
site:.fr inurl:index.php?id=
site:.fr inurl:gallery.php?id=
site:.vn inurl:index.php?id=
Results export to CSV for downstream exploitation. This isn't theoretical -- the task logs showed real scraping runs with timestamps.
The SQLMap Command Generator (x5s[.]us/index/index/sqlmap.html) provides a web-based interface for building SQLMap commands -- point-and-click SQL injection attack configuration.
The Command Center (cs[.]x5s[.]us) is the XSS-PT dashboard. It runs behind OpenResty (nginx+Lua) and serves as the central management interface for the XSS payload ecosystem.
The WebSocket Backend (xn--3ds443g[.]x5s[.]us -- the punycode encoding of "ZaiXian" which translates to "online") runs Workerman, a PHP-based WebSocket framework. This appears to be the real-time callback engine: when a stored XSS payload fires on a victim's browser, the notification routes back through this WebSocket connection for instant alerting.
The Numbers Don't Lie
A statistics API was exposed without authentication at /api/stats/overview.html. No login required. No session token. Just a GET request returning platform-wide metrics in JSON:
- 466 registered users
- 1,944 stored XSS payloads
- 43 target domains under active monitoring
- 362 active projects
Similarly, the backup scanner's API at bf[.]x5s[.]us/api/results.php returned all scan results without authentication -- target URLs, HTTP status codes, file types, severity ratings, and timestamps. Five results were present, all targeting French websites:
| Target | File Type | Severity |
|---|---|---|
| www[.]dauphibat[.]fr | tar.gz archive | HIGH |
| www[.]annecy-web[.]fr | ZIP archive | HIGH |
| www[.]accopro[.]fr | gzip archive | MEDIUM |
These aren't hypothetical targets. These are real French businesses whose backup files were identified as publicly downloadable. The scans were dated January 17, 2026 -- meaning this reconnaissance has been running for months.
17 Nodes in 24 Hours
Certificate transparency logs told the infrastructure story. On March 11-12, 2026, seventeen Let's Encrypt certificates were issued simultaneously for kh1.windsurf[.]x5s[.]us through kh17.windsurf[.]x5s[.]us. Each resolved to a unique IP address on Tencent Cloud, spread across Hong Kong and Singapore regions. Seventeen cloud instances deployed within a single 24-hour window.
Unlike the main platform subdomains, these nodes weren't behind Cloudflare. They resolved directly to their Tencent Cloud IPs -- an OPSEC gap that exposed the operator's backend infrastructure. Most ran SSH on port 22 with default configurations. The "windsurf" naming and "kh" prefix suggest these are testing or scanning nodes, deployed in bulk for parallel operations.
The certificate timeline also reveals the platform's development cadence:
- March 6:
kamon[.]laregistered and wildcard cert issued (same day) - March 11-12: 17 Tencent Cloud nodes deployed
- March 18: Backup scanner (
bf[.]x5s[.]us) certificate renewed - March 20: WordPress scanner (
wpscan[.]x5s[.]us) deployed -- just 13 days before exposure - March 27: Command center (
cs[.]x5s[.]us) and chat service deployed
The operator was actively expanding. New tools every week.
The Identity Behind the Curtain
The x5s[.]us WHOIS registration tells a story that contradicts itself at every turn. The registrant name is "Crili Aprl" -- likely fabricated, possibly an anagram containing "April" and fragments of "Cirilla." The email is cirliaa@proton[.]me. The address is 89 Crosswood Terrace, Tarbrax, West Calder, EH55 8XE -- a real location in a tiny Scottish village of roughly 200 residents. The phone number is a US number with a Minnesota area code.
A Scottish address. An American phone number. And an entirely Chinese-language platform running on Tencent Cloud.
Under ICANN's .us Nexus Requirements, .us domains require the registrant to be a US citizen or resident, or to maintain a bona fide US presence. The WHOIS data claims Registrant Nexus Category C11 ("natural person who is a United States citizen") with Application Purpose P1 ("business use, for profit"). None of this aligns with the evidence.
The WordPress installation at wp[.]x5s[.]us provided the real tell. The REST API at /wp-json/wp/v2/users was accessible without authentication, exposing the username "admin123" and, critically, the site's configured timezone: Asia/Shanghai (UTC+8). WordPress stores timezone as a user-configured setting -- this isn't derived from the server's location but from what the administrator selected during setup. Combined with the zh-CN language throughout the platform, the Tencent Cloud infrastructure preference, the layui framework, the BaoTa (BT Panel) server management software visible on default pages, and article content using Chinese cybercrime terminology for gambling sites ("BC" sites) -- the operator's geographic and linguistic origin is clear.
The fabricated Western identity is a deliberate misdirection layer. Three separate Cloudflare accounts (each domain uses a different NS pair), a Proton Mail address, a borrowed Scottish postal address -- all designed to make infrastructure attribution harder. Effective, until you find the WordPress timezone setting and the unauthenticated statistics API running in Mandarin.
The Predecessor: x8s[.]pw
Article 34 in the platform's knowledge base references a predecessor: x8s[.]pw. The naming convention is the same -- XSS rendered as "X5S" or "X8S" through visual substitution. The domain is now expired and unregistered, but its existence establishes that this operation predates the current x5s[.]us platform. The x5s[.]us domain was registered on April 13, 2025; the earliest certificate transparency evidence for kamon[.]la mail infrastructure dates to November 2021. This is not a new operation. It has been running, in one form or another, for years.
The articles themselves are instructional -- 34 entries teaching XSS attack techniques, including specific tutorials on penetrating Chinese gambling platforms. The platform isn't just a tool suite; it's a knowledge base and community for offensive operators.
Multi-Cloud Compartmentalization
The infrastructure architecture reveals deliberate compartmentalization across providers and continents:
- Cloudflare (three separate accounts): Frontend CDN and DDoS protection for
x5s[.]us,kamon[.]la, andmusclgear[.]com-- each on different nameserver pairs - Shinjiru, Malaysia: The now-dead staging server and WordPress scanner origin at
111.90.158[.]78 - OVH, Canada: Mail infrastructure at
192.95.29[.]87, running four SSH daemons (ports 22, 2222, 2223, 55001) suggesting Docker container-based service isolation, plus SMTPS, IMAPS, and an expired TLS certificate formusclgear[.]com-- revealing the server was previously used for a different domain before being repurposed forkamon[.]lamail operations - Tencent Cloud, Hong Kong/Singapore: 17 testing/scanning nodes deployed in bulk
The mail infrastructure on kamon[.]la (from the Polish word "poczta" meaning "mail" in its subdomain naming) includes geographic targeting subdomains: tw.server1.kamon[.]la (Taiwan) and ke.kamon[.]la (Kenya), suggesting multi-region email operations.
No single provider takedown can disrupt the platform. The staging server dies, but the scanners, dorking engine, and XSS management platform continue running behind Cloudflare. The compartmentalization is intentional, and it works.
What This Tells Us
X5S SECURE COMMAND appears to facilitate a complete offensive workflow: reconnaissance through Google dorking and backup file scanning, initial access through WordPress exploitation, payload deployment through XSS management, real-time alerting through WebSocket callbacks, and data extraction potentially through the kamon[.]la mail infrastructure. The platform has 466 users. It has been operating since at least 2025, with predecessor infrastructure dating to 2021.
The geographic targeting is notable. French websites appear repeatedly -- in the backup scanner results, in the Google dorking queries. Vietnamese websites are also targeted for SQL injection reconnaissance. This isn't indiscriminate scanning; the operator or their users have specific regional interests.
The speed of the staging server shutdown -- killed within hours of public exposure -- demonstrates active monitoring of the threat intelligence community. The operator watches researchers like @1ZRR4H. They saw the tweet. They burned the server. But they couldn't burn the DNS records, the certificate transparency logs, the Shodan historical data, or the unauthenticated APIs that were still running on every other subdomain.
Indicators of Compromise
Network Infrastructure
| IP Address | Provider | Location | Role | Status |
|---|---|---|---|---|
| 111.90.158[.]78 | Shinjiru | Malaysia | Staging / WP scanner origin | DEAD |
| 192.95.29[.]87 | OVH | Canada | Mail server | LIVE |
| 43.135.12[.]114 | Tencent Cloud | HK/SG | Windsurf kh1 | LIVE |
| 119.28.41[.]46 | Tencent Cloud | HK/SG | Windsurf kh2 | LIVE |
| 150.109.71[.]57 | Tencent Cloud | HK/SG | Windsurf kh3 | LIVE |
| 124.156.175[.]146 | Tencent Cloud | HK/SG | Windsurf kh4 | FILTERED |
| 43.129.244[.]158 | Tencent Cloud | HK/SG | Windsurf kh5 | FILTERED |
| 101.32.214[.]137 | Tencent Cloud | HK/SG | Windsurf kh6 | LIVE |
| 43.129.24[.]151 | Tencent Cloud | HK/SG | Windsurf kh7 | FILTERED |
| 124.156.133[.]235 | Tencent Cloud | HK/SG | Windsurf kh8 | LIVE |
| 150.109.75[.]45 | Tencent Cloud | HK/SG | Windsurf kh9 | LIVE |
| 43.132.167[.]57 | Tencent Cloud | HK/SG | Windsurf kh10 | LIVE |
| 119.28.203[.]74 | Tencent Cloud | HK/SG | Windsurf kh11 | LIVE |
| 43.128.59[.]46 | Tencent Cloud | HK/SG | Windsurf kh12 | FILTERED |
| 43.135.0[.]217 | Tencent Cloud | HK/SG | Windsurf kh13 | LIVE |
| 124.156.166[.]66 | Tencent Cloud | HK | Windsurf kh14 | LIVE |
| 43.132.206[.]22 | Tencent Cloud | SG | Windsurf kh15 | LIVE |
| 43.132.225[.]117 | Tencent Cloud | SG | Windsurf kh16 | DOWN |
| 43.129.234[.]120 | Tencent Cloud | SG | Windsurf kh17 | LIVE |
Domains
x5s[.]us # Main XSS platform
wpscan[.]x5s[.]us # WordPress vulnerability scanner
bf[.]x5s[.]us # Backup file scanner
cs[.]x5s[.]us # XSS Command Center
google[.]x5s[.]us # Google dorking engine
wp[.]x5s[.]us # WordPress test instance
adminer[.]x5s[.]us # PHP environment exposure
tg[.]x5s[.]us # Telegram webhook
xn--3ds443g[.]x5s[.]us # WebSocket callback engine
windsurf[.]x5s[.]us # Node orchestrator
kh1-17.windsurf[.]x5s[.]us # 17 Tencent Cloud nodes
kamon[.]la # Mail / hosting infrastructure
server1[.]kamon[.]la # Mail server
server2[.]kamon[.]la # Mail server (same IP)
musclgear[.]com # Co-hosted domain (OVH)
x8s[.]pw # Predecessor platform (expired)
URLs
hxxps://x5s[.]us/api/stats/overview.html # Unauthenticated stats API
hxxps://bf[.]x5s[.]us/api/results.php # Unauthenticated scan results
hxxps://bf[.]x5s[.]us/api/stats.php # Unauthenticated scan stats
hxxps://google[.]x5s[.]us/task.log # Dorking task log
hxxps://x5s[.]us/index/index/sqlmap.html # SQLMap command generator
hxxps://x5s[.]us/index/index/bm.html # CODEC LAB encoder
hxxps://wp[.]x5s[.]us/wp-json/wp/v2/users # WP user enumeration
cirliaa@proton[.]me # Domain registrant
Targeted Victims (Backup Scanner)
www[.]dauphibat[.]fr # French construction company
www[.]annecy-web[.]fr # French web agency
www[.]accopro[.]fr # French professional services
Vulnerability
CVE-2024-48042 # WordPress Contact Form by Supsystic RCE (CVSS 9.1)
# Referenced as "CVE-2026-4257" in operator's internal system
MITRE ATT&CK Mapping
| Tactic | Technique | Application |
|---|---|---|
| Reconnaissance | T1595.002 - Vulnerability Scanning | wpscan[.]x5s[.]us WordPress scanning |
| Reconnaissance | T1593.002 - Search Engines | google[.]x5s[.]us dorking for SQLi targets |
| Reconnaissance | T1596.005 - Scan Databases | bf[.]x5s[.]us backup file discovery |
| Resource Development | T1583.001 - Domains | x5s[.]us, kamon[.]la registration |
| Resource Development | T1583.003 - Virtual Private Server | 17 Tencent Cloud nodes, Shinjiru, OVH |
| Resource Development | T1587.004 - Exploits | CVE-2024-48042 weaponization |
| Resource Development | T1587.001 - Malware | SQLMap generator, XSS payload manager, dorking engine |
| Initial Access | T1190 - Exploit Public-Facing App | WordPress RCE via CVE-2024-48042 |
| Collection | T1119 - Automated Collection | Google Scraper bulk URL extraction |
| Credential Access | T1552.001 - Credentials in Files | Backup scanner targeting .sql/.zip backups |
This investigation was triggered by a tweet from German Fernandez (@1ZRR4H). The original staging server was dead on arrival -- all subsequent infrastructure discovery was produced by Breakglass Intelligence's autonomous GHOST investigation system through passive observation of publicly exposed infrastructure, DNS records, certificate transparency logs, and unauthenticated API endpoints.
Breakglass Intelligence | April 2, 2026