A threat actor tracked as “Mr_Rot13” has been linked to active exploitation of the critical cPanel & WHM vulnerability (CVE-2026-41940), leveraging the flaw to deploy a cross-platform backdoor known as “Filemanager” on compromised servers.
The vulnerability, disclosed last month, affects both cPanel and WebHost Manager (WHM) and allows authentication bypass that can grant remote attackers administrative access with high privileges to hosting environments.
Researchers at QiAnXin XLab report that exploitation activity increased after public disclosure, with threat actors using the flaw to mine cryptocurrency, deploy ransomware, expand botnets and implant backdoors.
Telemetry identified more than 2,000 attacker IP addresses involved in automated exploitation campaigns worldwide. The malicious infrastructure spans multiple geographic regions, with most activity coming from Germany, the United States, Brazil, and the Netherlands.
Security researchers also linked the flaw to a May 2 breach targeting Southeast Asian government and military networks, where attackers allegedly exfiltrated approximately 4.37 GB of sensitive data. During follow-on analysis, researchers uncovered a previously undocumented malware loader written in Go and internally labeled “Payload.”
The malware contains numerous Turkish-language debug and logging strings that researchers believe may have been generated using AI tools. Once executed, the infector modifies credentials on compromised cPanel systems, implants attacker-controlled SSH public keys, deploys malicious PHP and JavaScript payloads, and steals login credentials. Harvested data is then sent to Telegram channels controlled by the attackers before the malware installs the Filemanager remote-access trojan.
According to the report, Filemanager is a fully cross-platform backdoor supporting Linux, Windows, and macOS (Darwin) environments. The malware provides persistent remote control capabilities and appears designed for long-term covert access rather than short-lived smash-and-grab intrusions.
Attribution analysis linked the campaign to infrastructure dating back several years. Researchers discovered that the downloader domain used in the operation shared the same command-and-control domain as a PHP backdoor uploaded to VirusTotal in 2022 that still reportedly has zero antivirus detections. Researchers believe the infrastructure has been active since at least 2020, suggesting the operators behind Mr_Rot13 are an experienced and persistent threat group capable of maintaining stealth over extended periods.
It should be noted, that cPanel has released security updates for cPanel & WHM to fix three new vulnerabilities that could allow arbitrary file reads, remote code execution, and denial-of-service or privilege escalation. At present, there’s no indication that any of the flaws is being exploited in the wild. However, given the report above, organizations are strongly advised to apply the patch as soon as possible.