A sophisticated and long-running attack campaign is actively exploiting a recently disclosed critical vulnerability in cPanel & WHM, tracked as CVE-2026-41940. Researchers at XLab have detailed the tactics of a stealthy hacking group they have named Mr_Rot13, which has been leveraging the flaw to gain unauthorized administrator access to vulnerable servers, deploy backdoors, steal sensitive data, and maintain persistent remote control.

Attack Overview

The vulnerability in cPanel & WHM allows an attacker to log into a server without providing any username or password. This effectively grants them full administrator control over the cPanel host system, including all configurations, databases, and the websites it manages. Such a flaw is particularly dangerous because cPanel is one of the most widely used web hosting control panels, powering millions of websites worldwide. Once an attacker gains initial access, they execute a multi-stage infection process.

First, the attackers deploy an infector script that immediately changes the server's root password to lock out the legitimate administrator. It also plants a hidden SSH key, allowing the attackers to return later via Secure Shell (SSH) without raising alarms. Next, a PHP web shell is dropped into the cPanel system directory. This web shell enables remote file browsing, command execution, and further payload delivery. The attackers then tamper with the cPanel login page itself, injecting malicious JavaScript code that silently captures every username and password entered by legitimate users and sends the harvested credentials to an attacker-controlled server.

Finally, a cross-platform remote-control trojan dubbed Filemanager is installed. This trojan gives the attackers ongoing visibility into the compromised machine and allows them to remotely manage it. It can execute commands, upload and download files, and exfiltrate data. Database passwords, SSH keys, command history, and other sensitive information are siphoned off both to the attackers' own servers and to a private Telegram group. The use of Telegram for data exfiltration is notable because it provides a simple, encrypted messaging platform that is often overlooked by security monitoring tools.

The Attackers: Mr_Rot13

XLab's attribution work has linked the campaign to a group they call Mr_Rot13. The name comes from the Telegram account handle used by the apparent leader and the group's use of the ROT13 cipher to obfuscate the address of their command-and-control (C2) server. The group's C2 domain, wrned.com, has been in active use since at least 2020, indicating a mature infrastructure. The researchers also discovered that a PHP backdoor associated with that domain was uploaded to VirusTotal in 2022 and continues to have zero detections, suggesting the malware has remained completely under the radar of antivirus engines for years. This level of stealth points to a capable, well-funded hacking group that can operate covertly for extended periods.

The group's modus operandi reveals careful planning and a focus on long-term persistence rather than quick hits. They change root passwords to block administrators from re-entering the server, plant hidden SSH keys for backdoor access, and modify the login page to capture credentials. The Filemanager trojan is constantly updated, and the exfiltration channels are redundant, using both a dedicated C2 server and Telegram to ensure data is not lost. The group appears to have a particular interest in hosting environments, likely because compromising a single cPanel server can provide access to hundreds of websites and databases.

Exploitation Scope and Impact

The exploitation of CVE-2026-41940 is not limited to Mr_Rot13. Various other threat actors have also been exploiting the vulnerability to deploy ransomware, Mirai malware, and to steal data. However, the Mr_Rot13 campaign appears to be the most widespread and stealthy. XLab reports that over 2,000 attacker-controlled IP addresses worldwide are currently running automated attacks against exposed servers. The traffic originates primarily from Germany, the United States, Brazil, and the Netherlands. The large number of attacking IPs and the global distribution suggest the group has a substantial botnet or a network of proxies at its disposal.

The real-world impact has been severe. Yutaka Sejiyama, Deputy Director of Macnica's Security Research Center, shared that 194 out of 1,692 publicly exposed cPanel/WHM servers in Japan have been hit with the Sorry ransomware, which has been linked to this campaign. The Sorry ransomware encrypts files and demands payment, causing significant downtime and data loss for hosting providers and their customers. Beyond ransomware, the theft of credentials and database passwords can lead to further compromises, including data breaches, identity theft, and financial fraud.

Protection and Mitigation

CPanel has been actively updating its security advisory with links to patches for various cPanel and WHM versions. Administrators are strongly urged to apply these patches immediately. In addition to patching, organizations should run the detection script provided by cPanel to check for signs of compromise. Indicators of compromise shared by XLab include specific IP addresses associated with the C2 domain wrned.com, known PHP web shell file paths, and the presence of the Filemanager trojan. Server administrators should also review system logs for unauthorized SSH key additions, unusual cron jobs, and modifications to the cPanel login page files. Changing all passwords—root, database, and FTP—is essential after patching.

Furthermore, enabling multi-factor authentication (MFA) for cPanel and WHM can provide an additional layer of security, even if credentials are stolen. Limiting access to the cPanel interface to trusted IP addresses only, using a firewall, and regularly monitoring for unexpected outbound connections to known malicious domains can also reduce the risk of exploitation. The campaign is ongoing, and new indicators of compromise may emerge as the attackers adapt.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Source: Help Net Security News