216.73.216.204

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

· Published 11/05/2026 07:25 · Modified 11/05/2026 09:56

Export JSON

Essential information

Published
11/05/2026 07:25
Modified
11/05/2026 09:56
Tags
2026-05-11 CVE-2026-41940 cpanel exploitation cpanel-python credential-theft filemanager filemanager rat southeast asia ssh backdoor telegram exfiltration wordpress targeting
Related entities
1 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 21 techniques (mitre), 2 malware, 5 others

Description

A previously unknown threat group designated Mr_Rot13 has been exploiting , a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called . Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

External references