Full Report
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
Analysis Summary
# Incident Report: Exploitation of cPanel CVE-2026-41940 by Mr_Rot13
## Executive Summary
A critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), tracked as CVE-2026-41940, is being actively exploited by multiple threat actors, most notably a group identified as "Mr_Rot13." The attackers leverage this flaw to gain elevated control, deploy the "Filemanager" cross-platform backdoor, and steal credentials through localized web shell injection. The campaign has impacted over 2,000 systems globally, primarily resulting in persistent unauthorized access and data theft.
## Incident Details
- **Discovery Date:** Late April / early May 2026
- **Incident Date:** Ongoing (Activity linked back to early 2020)
- **Affected Organization:** Multiple (Global cPanel/WHM users)
- **Sector:** Technology / Web Hosting / Various
- **Geography:** Global (Primary clusters in Germany, USA, Brazil, and the Netherlands)
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced immediately following public disclosure in late April 2026.
- **Vector:** Exploitation of CVE-2026-41940 (Critical Authentication Bypass).
- **Details:** Remote attackers bypass authentication on vulnerable cPanel/WHM instances to gain root privileges.
### Lateral Movement
- **Mechanism:** Attackers utilize automated shell scripts to deploy Go-based infectors and specialized web shells across the hosting environment to maintain control over multiple virtual aliases and resident containers.
### Data Exfiltration/Impact
- **Details:** Sensitive data including bash history, SSH keys, database passwords, and cPanel virtual aliases (valiases) are collected. Stolen credentials are exfiltrated to a Telegram group (“0xWR”) and an attacker-controlled domain using ROT13 encoding.
### Detection & Response
- **Discovery:** Identified by QiAnXin XLab through monitoring of over 2,000 malicious source IPs involved in automated exploitation.
- **Response Actions:** Research community disclosure of Indicators of Compromise (IoCs) and attribution to the long-standing "Mr_Rot13" group.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-41940 via `wget`/`curl` shell scripts.
- **Persistence:** Modification of the root password to `123Qwe123C` and placement of unauthorized SSH public keys.
- **Privilege Escalation:** Inherited through the cPanel authentication bypass vulnerability.
- **Defense Evasion:** Use of ROT13 cipher for C2 communications; low-detection Go-based and PHP-based malware; infrastructure operational since 2020 with high stealth.
- **Credential Access:** JavaScript-injected phishing pages on the legitimate cPanel login screen; theft of database and SSH credentials.
- **Discovery:** Collection of host metadata, device information, and virtual alias configurations.
- **Lateral Movement:** Web shells used for remote command execution and further host penetration.
- **Collection:** Automated gathering of bash history and sensitive configuration files.
- **Exfiltration:** Data sent to Telegram API and attacker-controlled domain `wrned[.]com`.
- **Impact:** Full server compromise, deployment of botnets, ransomware, and miners.
## Impact Assessment
- **Financial:** High (Associated with ransomware and illicit cryptocurrency mining).
- **Data Breach:** High (Theft of administrative credentials, database passwords, and user private keys).
- **Operational:** Severe (Unauthorized root access allows for total system takeover and service disruption).
- **Reputational:** High for hosting providers failing to patch critical infrastructure flaws.
## Indicators of Compromise
- **Network Indicators:**
- cp[.]dene[.]de[.]com (Malware hosting)
- wrned[.]com (Exfiltration)
- wpsock[.]com (Backdoor delivery)
- **File Indicators:**
- `helper.php` (Backdoor)
- Filemanager (Go-based backdoor)
- **Behavioral Indicators:**
- Root password modified to `123Qwe123C`.
- Unexpected SSH keys added to authorized_keys.
- Outbound traffic to Telegram API from web servers.
## Response Actions
- **Containment:** Immediately block the associated C2 domains and attacker-source IPs.
- **Eradication:** Audit and remove unauthorized SSH keys; reset all root and user passwords. Remove the `Filemanager` binary and malicious PHP shells.
- **Recovery:** Restore cPanel/WHM from secure backups prior to April 2026 if possible.
## Lessons Learned
- **Key Takeaways:** Vulnerabilities in management software like cPanel provide "keys to the kingdom" and are weaponized by threat actors almost immediately upon disclosure.
- **Opportunity for Improvement:** The long-term survival of the Mr_Rot13 group (since 2020) suggests a need for better behavioral monitoring of administrative panels and egress filtering for unexpected C2 channels (like Telegram).
## Recommendations
- **Immediate Patching:** Update cPanel and WHM to the latest version to remediate CVE-2026-41940.
- **Hardening:** Implement Multi-Factor Authentication (MFA) and restrict access to WHM/cPanel ports (2083, 2087) to known-good IP addresses.
- **Monitoring:** Deploy File Integrity Monitoring (FIM) to detect unauthorized changes to the root directory and SSH configuration files.