"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability," QiAnXin XLab wrote in its analysis.
CVE-2026-41940: an authentication-bypass in cPanel and WHM
Security researchers say the exploitation centers on CVE-2026-41940, a critical vulnerability in cPanel and WebHost Manager (WHM) that can produce an authentication bypass and allow remote attackers to gain elevated control of the control panel. QiAnXin XLab reported that the flaw was targeted by multiple actors "shortly after its public disclosure late last month," with exploitation leading to a range of malicious outcomes including cryptocurrency mining, ransomware, botnet propagation, and implantation of backdoors.
Attribution to "Mr_Rot13" and indications of long-running infrastructure
QiAnXin XLab attributed a cluster of these exploit operations to a threat actor it labels "Mr_Rot13." XLab's report notes signs that the operator's infrastructure has been active for years: a command-and-control domain embedded in the attacker's JavaScript code appears in a PHP backdoor file ("helper.php") uploaded to VirusTotal in April 2022, and the domain was first registered in October 2020. "Over the six years from 2020 to the present, the detection rate of Mr_Rot13's related samples and infrastructure across security products has remained extremely low," XLab said, an assessment that frames the operation as quietly persistent rather than newly emergent.
The attack chain and the Filemanager backdoor
XLab's technical analysis describes an automated attack chain that begins with a shell script using wget or curl to fetch a Go-based infector from a remote server identified as "cp.dene.[de[.]com." That infector is designed to implant an SSH public key on a compromised cPanel host for persistent access and to drop a PHP web shell that enables file upload/download and remote command execution.
According to XLab, the web shell is then used to inject JavaScript that serves a customized login page intended to capture credentials. The stolen credentials are siphoned to an attacker-controlled system encoded with the ROT13 cipher and associated with "wrned[.]com." The exploit chain culminates with deployment of a cross-platform backdoor the researchers call "Filemanager," which XLab observed being delivered via a shell script downloaded from "wpsock[.]com." Filemanager supports file management, remote command execution, and shell functionality and is capable of infecting Windows, macOS, and Linux hosts.
Data collection and exfiltration to an operator-controlled Telegram group
XLab says the infector also harvests sensitive material from compromised systems, collecting bash history, SSH data, device information, database passwords, and cPanel virtual aliases (valiases). Those artifacts are reportedly sent to a three-member Telegram group created by a user named "0xWR," according to the report. The combination of credential theft, SSH key implantation, web-shell control, and a cross-platform backdoor presents multiple avenues for persistent access and lateral movement within affected environments.
Scale of the campaign: over 2,000 attacker IPs and global reach
The monitoring data cited by XLab indicates a large, geographically dispersed set of attacking hosts. The researchers report more than 2,000 attacker source IPs distributed across multiple regions, "primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions." XLab links those automated scanning and exploitation efforts to the range of malicious behaviors observed after successful compromise—mining, ransomware, botnet expansion, and implantation of the Filemanager backdoor.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: XLab's findings point to a multi-stage intrusion pattern—shell scripts fetching a Go infector, SSH key installation, PHP web shells, JavaScript-based credential collection (encoded via ROT13), and final delivery of Filemanager from "wpsock[.]com." Monitoring for these specific artifacts and domains—alongside checks for unexpected SSH public keys and web-shell files—aligns directly with the behaviors XLab documented.
- Affected enterprises and hosting providers: the campaign's cross-platform Filemanager backdoor and the reported exfiltration of database passwords and cPanel valiases create risks for persistence and lateral movement across hosting environments. The historical use of the C2 domain (linked to a 2022 VirusTotal upload and a 2020 registration) underscores that some infrastructure associated with these intrusions has been in place for years with low detection rates.
- End users and credential holders: the attackers' use of a customized login page served via injected JavaScript to harvest credentials—then encoded using ROT13 and sent to "wrned[.]com"—demonstrates a direct credential-theft vector tied to compromised control panels, meaning passwords captured at that stage can be re-used to expand access.
QiAnXin XLab's report portrays an operation that combined rapid exploitation after a public disclosure with infrastructure that had been quietly active for years. The result is a campaign that is both opportunistic—scanning and striking immediately after the CVE became public—and patient, relying on low-detection tooling and long-lived domains. Security teams and hosting operators will need to align detection with the specific indicators XLab documented as they investigate and remediate affected cPanel/WHM environments.
