all articles either are not saying what is the purpose or just talking about creating a zombienet for future use, but one wordpress I know of got hacked just 2 weeks ago by brute-forcing his way in, then someone was able to install a plugin call "boss" which was the r57shell and with this script, was able to put new files in the blog which was serving 7727 websites with a virus when someone visited their site and didn't had flash. The virus in question was the trojan Meredrop, so the wordpress got hacked and was already being used for spreading a trojan.
It's high time that WordPress install by default Login Lockdown or Limit Login or some plugins like that, can't believe they don't put it by default.