Lyrie
Streams
CVE Deep DivesActive ExploitationResearchBreachesLyrie OriginalsAI Threats
SearchMethodology
Get Lyrie →
Threat-Intel
0 sources verified·6 min read
By Lyrie Threat Intelligence·5/2/2026

Regional Intelligence Play: cPanel Zero-Day Chains With Custom Exploits to Breach SE Asia Military & Exfil Chinese State Data

TL;DR

A sophisticated threat actor combined a critical cPanel authentication bypass (CVE-2026-41940, CVSS 9.8) with a custom zero-day exploit chain targeting an Indonesian defense-sector portal to breach government and military infrastructure across SE Asia, ultimately exfiltrating 4.37GB of sensitive Chinese railway documents containing PII, financial records, and national ID numbers.

What Happened

Ctrl-Alt-Intel uncovered an active APT-scale campaign that weaponizes CVE-2026-41940 (a pre-authentication CRLF injection in cPanel/WHM) as a foothold for broader intelligence collection operations. The campaign's sophistication goes well beyond the cPanel vulnerability: the threat actor deployed custom exploits, layered persistence mechanisms, and data exfiltration pipelines targeting SE Asian military and government infrastructure, with the ultimate objective of stealing documents from the China Railway Society Electrification Committee.

Technical Details

Initial Access: CVE-2026-41940 Exploitation

The campaign begins with rapid, mass exploitation of CVE-2026-41940, which affects all cPanel/WHM versions after v11.40. The flaw allows an unauthenticated attacker to:

  • Inject CRLF sequences into the login and session-loading processes
  • Manipulate the whostmgrsession cookie to spoof administrator sessions
  • Gain full root-level administrative access without valid credentials

CISA confirmed active exploitation before the vendor patch (April 28, 2026), and the Shadowserver Foundation observed 44,000 unique IPs scanning for victims or conducting brute-force attacks against honeypot sensors.

Custom Zero-Day Chain: Indonesian Defense Portal

Once inside a cPanel-compromised server, the threat actor pivoted to an Indonesian Defense sector training portal using valid credentials (acquisition method unknown). The custom exploit chain demonstrates sophisticated understanding of application-layer and database-layer vulnerabilities:

1. CAPTCHA Bypass: The attacker read the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge useless.

2. SQL Injection → RCE: Injecting SQL into a document-name field within a vulnerable save endpoint.

3. PostgreSQL COPY ... TO PROGRAM Escalation: Leveraging PostgreSQL's COPY ... TO PROGRAM capability to spawn arbitrary shell commands from the database layer.

4. Stealthy Exfiltration: Command output captured to /tmp, base64-encoded, and re-ingested into application records using pg_read_file() — a file-read channel entirely native to the database, leaving minimal forensic artifacts.

The exploit script (exploit_siak_bahasa.py, SHA-256: 974E272A...) contained Vietnamese-language comments, though Ctrl-Alt-Intel cautioned this may represent misdirection.

Persistence & Pivot Infrastructure

The actor deployed a multi-layered persistence and pivot stack:

  • OpenVPN server (95.111.250[.]175:1194/UDP) deployed as early as April 8, 2026, routing through 10.8.0.0/24.
  • Ligolo proxy agent installed under /usr/local/bin/.netmon/, masqueraded as systemd-update.service, configured for automatic restart.
  • AdaptixC2 payload (ELF binary) configured to beacon to delicate-dew.serveftp[.]com:4455.
  • PowerShell reverse shell (init.ps1) establishing TCP connections to 95.111.250[.]175:4444.

This layering ensures durable access even after OS reboot and creates multiple re-entry vectors.

Data Exfiltration: 4.37GB of Chinese Railway Intelligence

Using the pivot infrastructure, the attacker reached an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script. In total:

  • 110 files (~4.37GB) stolen from the China Railway Society Electrification Committee
  • Time span: 2020–2024
  • File types: .pptx, .pdf, .docx, .xlsx
  • Most sensitive content: 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers

Lyrie Assessment

This campaign represents a critical inflection point in the offensive AI era:

1. Vulnerability Weaponization at Scale: The attacker didn't just exploit the cPanel vulnerability—they combined it with zero-day reconnaissance, custom exploit chains, and stealthy exfiltration pipelines. This is the pattern Lyrie's autonomous defense systems must detect: rapid chaining of known + custom exploits, not exploitation of a single CVE in isolation.

2. Database-Layer Evasion: The use of PostgreSQL's native COPY ... TO PROGRAM and pg_read_file() for exfiltration is a forensic-evasion play. It leaves minimal disk artifacts and lives entirely within the database's logical layer. Traditional EDR/SIEM detection rules keyed to process spawning, network exfiltration, or file I/O will miss this. Lyrie's platform must learn to detect database-layer command execution as a first-class threat model.

3. Attribution & Misdirection: The presence of Vietnamese-language comments combined with victimology (SE Asian military/government targets + theft of Chinese state data) suggests either a Chinese-nexus actor using Vietnamese-language developers as cover, or a Vietnamese-linked operator working as a contractor. This is a new model for nation-state operations: use regional talent as a buffer against attribution. Automated defenses must treat developer-language and geolocation as weak signals, not strong attribution anchors.

4. The Persistence Stack: OpenVPN + Ligolo + masked systemd services is a textbook advanced persistence model. The attacker is preparing for defender-speed detection: if one C2 channel is burned, the layered pivot infrastructure ensures re-entry via multiple routes. This is exactly the scenario where agentic autonomous defense (constant live probing of internal routing, real-time pivot detection) has an asymmetric advantage over human-speed threat hunting.

5. Target Convergence: The campaign targets SE Asian government/military for access to Chinese state-adjacent data (railway, transport, finance). This is intelligence collection via critical infrastructure, not ransomware. As geopolitical tensions rise, expect more campaigns designed to steal via trusted institutional networks rather than extort from them.

Recommended Actions

1. Immediate (Today):

- All cPanel/WHM instances: Patch to the latest version immediately. Verify patch via cPanel version in terminal.

- Audit cPanel logs for CRLF-based session manipulation: grep for \r\n patterns in whostmgr session files.

- Check for lingering OpenVPN processes or Ligolo agent binaries at /usr/local/bin/.netmon/ or masked systemd services.

2. Short-Term (This Week):

- Database layer monitoring: Enable PostgreSQL command logging (log_statement = 'all') and alert on COPY ... TO PROGRAM, COPY ... TO, and pg_read_file() usage.

- Network segmentation audit: Ensure database servers cannot reach external VPN or C2 infrastructure. Restrict egress to only necessary internal hosts.

- Threat intelligence integration: Import IoCs (IP 95.111.250[.]175, domain delicate-dew.serveftp[.]com, file hashes in SHAs below) into your EDR/SIEM and alert on any matches.

3. Long-Term (This Month):

- Shift database-layer threat detection left: Build Lyrie-class autonomous detection into your database query layer. Look for unusual COPY commands, pg_read_file() access patterns, and command-execution attempts via PostgreSQL functions.

- Practice forensics for database exfiltration: Train your IR team to audit PostgreSQL logs, transaction history, and pg_log for signs of this attack. Disk-based forensics alone will not catch database-native exfiltration.

- Regional threat modeling: If your organization operates in SE Asia or maintains sensitive data accessible via SE Asian government/military networks, conduct immediate risk reassessment. This campaign signals heightened nation-state interest in regional infrastructure.

Indicators of Compromise (IoCs)

| Indicator | Type | Context |

|---|---|---|

| 95.111.250[.]175 | IP Address | Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure |

| delicate-dew.serveftp[.]com | Domain | C2 domain; present in recovered certificates |

| systemd-update.service | File Name | Masqueraded Linux persistence service |

| /usr/local/bin/.netmon/ | File Path | Hidden directory containing Ligolo reverse-connect payload |

| init.ps1 | File Name | PowerShell reverse shell |

| 64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325 | SHA-256 | Hash of init.ps1 |

| exploit_siak_bahasa.py | File Name | Custom authenticated SQLi → PostgreSQL RCE exploit |

| 974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD | SHA-256 | Hash of exploit_siak_bahasa.py |

| exfil_docs_v2.sh | File Name | Custom SFTP / lftp document exfiltration script |

| 734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F | SHA-256 | Hash of exfil_docs_v2.sh |

| 1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB6D15CF | SHA-256 | Hash of ELF C2 payload |

Sources

1. https://cybersecuritynews.com/cpanel-vulnerability-exploited/ (Primary analysis)

2. https://ctrlaltintel.com/research/SEA-CPanel/ (Ctrl-Alt-Intel technical deep-dive)

3. https://www.cisa.gov/news-events/alerts/2026/04/30/cisa-orders-federal-agencies-patch-cPanel-cve-2026-41940 (CISA alert)

4. https://www.shadowserver.org/what-we-do/shadowserver-foundation/ (Shadowserver Foundation honeypot observations)

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

Related Articles

originals
Pattern alert: 13 recent advisories converge on 0day
1 min read · 5 sources
originals
Pattern alert: 15 recent advisories converge on 0day
1 min read · 5 sources