A sophisticated threat actor, identified as Mr_Rot13, is actively exploiting a critical vulnerability in cPanel and WebHost Manager (WHM) to deploy a stealthy backdoor known as Filemanager. This exploitation, stemming from the recently disclosed CVE-2026-41940, allows attackers to bypass authentication and gain elevated control over compromised servers, posing a significant risk to web hosting environments and user data.
The ongoing campaign, detailed in a new report by QiAnXin XLab, has seen a rapid surge in malicious activity since the vulnerability’s public disclosure late last month. Researchers observed over 2,000 unique attacker IP addresses worldwide engaged in automated attacks, targeting this cPanel flaw for various illicit purposes including cryptocurrency mining, ransomware deployment, botnet expansion, and the implantation of persistent backdoors across multiple continents.
Exploitation of critical cPanel Flaw Leads to Widespread Backdoor Deployment
The primary vector of attack involves a shell script that leverages tools like wget or curl to download a Go-based infector from a remote server. This infector is designed to establish persistent access by implanting an SSH public key into the compromised cPanel system. Additionally, it drops a PHP web shell that grants attackers the ability to upload and download files and execute commands remotely.
Further analysis reveals that these compromised systems are then used to inject JavaScript code, serving a customized login page. This deceptive page is designed to harvest user credentials, which are then exfiltrated to an attacker-controlled server encoded with the ROT13 cipher. The ultimate goal of this elaborate phishing technique is to facilitate the deployment of a cross-platform backdoor, capable of infecting Windows, macOS, and Linux operating systems.
Filemanager Backdoor Capabilities and Information Harvesting
The Filemanager backdoor, delivered via the aforementioned shell script, offers a comprehensive suite of functionalities for attackers. It supports robust file management operations, allows for remote command execution, and provides shell access, giving threat actors significant control over the victim’s server. This allows for further exploitation and lateral movement within the compromised network.
Beyond its core backdoor functionalities, the infector is also equipped to gather a wide array of sensitive information. This includes crucial data such as bash history logs, SSH credentials, detailed device information, database passwords, and cPanel virtual aliases. This harvested data is then systematically exfiltrated to a three-member Telegram group managed by an individual known as “0xWR,” suggesting a coordinated effort by the threat actor.
Evidence suggests that Mr_Rot13 has been operating with a high degree of stealth for an extended period. The command-and-control (C2) domain found within the malicious JavaScript code was previously identified in a PHP-based backdoor uploaded to VirusTotal in April 2022. This domain was first registered in October 2020, indicating a long-term infrastructure for malicious operations.
According to QiAnXin XLab, the detection rate for Mr_Rot13’s related samples and infrastructure has remained remarkably low over the past six years, from 2020 to the present. This low detection rate underscores the sophistication of their techniques and the potential for widespread, undetected compromise within the web hosting industry.
The ongoing exploitation of CVE-2026-41940 highlights the urgent need for administrators to apply the latest security patches for cPanel and WHM. The continued low detection rates associated with Mr_Rot13’s activities suggest that organizations should proactively monitor their systems for signs of compromise and strengthen their overall cybersecurity posture. Future activity will likely involve further refinement of their evasion techniques and a persistent effort to exploit unpatched systems.