Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
Essential information
- Published
- 11/05/2026 07:25
- Modified
- 11/05/2026 09:56
- Tags
- 2026-05-11 CVE-2026-41940 cpanel exploitation cpanel-python credential-theft filemanager filemanager rat southeast asia ssh backdoor telegram exfiltration wordpress targeting
- Related entities
- 1 vulnerabilities (cve), 1 observables, 1 intrusion sets (apt), 21 techniques (mitre), 2 malware, 5 others
Description
A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.