"Monitoring data shows that more than 2,000 attacker source IPs worldwide are currently involved in automated attacks and cybercrime activities targeting this vulnerability. These IPs are distributed across multiple regions globally, primarily originating from Germany, the United States, Brazil, the Netherlands, and other regions."
"Further analysis of the ongoing exploitation activity has uncovered a shell script that uses wget or curl to download a Go-based infector from a remote server ("cp.dene.[de[.]com") that's designed to implant a compromised cPanel system with an SSH public key for persistent access, along with dropping a PHP web shell that facilitates file upload/download and remote command execution."
"The web shell is then used to inject JavaScript code to serve a customized login page to steal login credentials and siphon them to an attacker-controlled system that's encoded using the ROT13 cipher (" wrned[.]com"). Once the details are transmitted, the attack chain culminates with the deployment of a cross-platform backdoor that's capable of infecting Windows, macOS, and Linux systems."
"The security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation."
A threat actor named Mr_Rot13 has been linked to exploitation of a recently disclosed critical cPanel vulnerability to deploy a backdoor called Filemanager. The activity targets CVE-2026-41940, which can allow authentication bypass and enable remote attackers to gain elevated control of cPanel. Shortly after public disclosure, multiple threat actors used the flaw for cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation. Monitoring indicates automated attacks from more than 2,000 source IPs worldwide, concentrated in several countries. The exploitation chain includes a shell script that downloads a Go-based infector using wget or curl. The infector implants an SSH public key for persistence and drops a PHP web shell for file transfer and remote command execution. The web shell injects JavaScript to present a customized login page that steals credentials and exfiltrates them to an attacker-controlled system encoded with ROT13. The process ends with deployment of a cross-platform backdoor for Windows, macOS, and Linux, and the infector collects sensitive host data such as bash history and SSH information.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]