A risk actor named Mr_Rot13 has been attributed to the exploitation of a just lately disclosed vital cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments.
The assault exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Supervisor (WHM) that would end in an authentication bypass and permit distant attackers to achieve elevated management of the management panel.
In response to a brand new report from QiAnXin XLab, the security defect has been exploited by plenty of risk actors shortly after its public disclosure late final month, leading to malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.
“Monitoring information exhibits that greater than 2,000 attacker supply IPs worldwide are at the moment concerned in automated assaults and cybercrime actions focusing on this vulnerability,” XLab researchers stated. “These IPs are distributed throughout a number of areas globally, primarily originating from Germany, america, Brazil, the Netherlands, and different areas.”
Additional evaluation of the continued exploitation exercise has uncovered a shell script that makes use of wget or curl to obtain a Go-based infector from a distant server (“cp.dene.[de[.]com”) that is designed to implant a compromised cPanel system with an SSH public key for persistent entry, together with dropping a PHP internet shell that facilitates file add/obtain and distant command execution.
The net shell is then used to inject JavaScript code to serve a personalized login web page to steal login credentials and siphon them to an attacker-controlled system that is encoded utilizing the ROT13 cipher (“wrned[.]com”). As soon as the small print are transmitted, the assault chain culminates with the deployment of a cross-platform backdoor that is able to infecting Home windows, macOS, and Linux programs.
The infector can be outfitted to gather delicate data from the compromised host, together with bash historical past, SSH information, system data, database passwords, and cPanel digital aliases (aka valiases), to a 3-member Telegram group created by a person named “0xWR.”
Within the an infection sequence analyzed by XLab, Filemanager is delivered by way of a shell script downloaded from the “wpsock[.]com” area. The backdoor helps file administration, distant command execution, and shell performance.
There are indicators that the risk actor behind the operation has been working silently within the shadows for years. This evaluation relies on the truth that the command-and-control (C2) area embedded within the JavaScript code has been put to make use of in a PHP-based backdoor (“helper.php”) that was uploaded to the VirusTotal platform in April 2022. The area was first registered in October 2020.
“Over the six years from 2020 to the current, the detection charge of Mr_Rot13’s associated samples and infrastructure throughout security merchandise has remained extraordinarily low,” XLab stated.
