An unidentified threat actor has been targeting government and military organizations in Southeast Asia, as well as managed service providers and hosting providers in several countries, by exploiting a critical vulnerability in cPanel, a popular control panel software.
Ctrl-Alt-Intel discovered this activity on May 2, 2026, which involves the exploitation of CVE-2026-41940, a flaw in cPanel and WebHost Manager (WHM) that allows attackers to bypass authentication and gain control of the control panel remotely.
The attacks are primarily focused on government and military domains in the Philippines and Laos, as well as MSPs and hosting providers, using publicly-available proof-of-concepts.
Furthermore, the threat actor utilized a custom exploit chain to target an Indonesian defense sector training portal before the cPanel attacks, employing SQL injection and remote code execution techniques.
Ctrl-Alt-Intel revealed that the attacker used hard-coded credentials and bypassed CAPTCHA challenges to gain access to the portal and execute the attack.
Further investigation revealed that the threat actor is using the AdaptixC2 command-and-control framework to control the compromised endpoints and tools like OpenVPN and Ligolo for persistent access to victim networks.
The actor established access using various methods and exfiltrated documents related to the Chinese railway sector.
While the identity of the threat actor remains unknown, Censys reported evidence of multiple parties exploiting the cPanel vulnerability within a day of its disclosure, deploying Mirai botnet variants and a ransomware strain named Sorry.
Shadowserver Foundation data shows a significant decrease in compromised IP addresses engaging in scanning and attacks related to the vulnerability, emphasizing the importance of applying patches and cleaning up compromised systems.
cPanel has released a new version of the detection script to assist in identifying false positives and urges users to update their systems promptly and address any indicators of compromise.
