A Newly Discovered cPanel Flaw Exploited by Mr_Rot13
An individual known as Mr_Rot13 has been identified as the perpetrator behind the exploitation of a critical cPanel vulnerability, leading to the deployment of a malicious backdoor named Filemanager on compromised systems.
The security flaw in question, CVE-2026-41940, affects cPanel and WebHost Manager (WHM), enabling unauthorized access and granting remote attackers elevated control over the control panel.
Recent findings from QiAnXin XLab reveal that multiple threat actors have been quick to exploit this vulnerability, engaging in activities such as cryptocurrency mining, ransomware attacks, botnet spreading, and the installation of backdoors.
According to XLab researchers, more than 2,000 attacker IPs worldwide are actively involved in exploiting this vulnerability, with a significant number originating from countries like Germany, the United States, Brazil, the Netherlands, and others.
An in-depth analysis of the exploitation campaign has uncovered a shell script that downloads a Go-based infector from a remote server, implanting compromised cPanel systems with an SSH public key for persistent access and deploying a PHP web shell for file manipulation and remote command execution.
Subsequently, a web shell injects JavaScript code to create a customized login page, stealing credentials and sending them to an attacker-controlled system encoded using ROT13 cipher. This process concludes with the installation of a cross-platform backdoor capable of infecting Windows, macOS, and Linux machines.
The backdoor, known as Filemanager, is delivered through a shell script sourced from the domain “wpsock.com,” providing functionalities like file management, remote command execution, and shell capabilities.
Evidence suggests that the threat actor behind these activities has been operating discreetly for years, as indicated by the utilization of a command-and-control (C2) domain in a PHP backdoor uploaded to VirusTotal in April 2022. The domain was registered back in October 2020.
Despite the prolonged operational period, detection rates for Mr_Rot13’s activities across security products have remained remarkably low, spanning over six years from 2020 to the present.
