What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Intel

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/12/2026

Mr_Rot13: The 6-Year Shadow Campaign Exploiting cPanel CVE-2026-41940

TL;DR

A sophisticated threat actor tracked as Mr_Rot13 has been operating silently since 2020, exploiting cPanel's CVE-2026-41940 (critical auth bypass) to deliver a multi-stage infection chain that yields persistent backdoor access, credential harvesting, and cross-platform malware deployment. Over 2,000 attacker IPs are currently conducting automated exploitation at scale globally.

What Happened

On May 11-12, 2026, QiAnXin XLab researchers disclosed active exploitation of CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM). The flaw was publicly disclosed in late April 2026, but threat actors—particularly the group tracked as Mr_Rot13—wasted no time weaponizing it.

Real-time monitoring detected over 2,000 attacker source IPs conducting automated attacks worldwide, with primary origination points in:

Germany
United States
Brazil
Netherlands
And additional regions globally

What distinguishes this campaign from typical drive-by exploitation is the sophistication and persistence of the post-exploitation chain and the 6-year operational history of the threat actor, suggesting advanced capability and patient infrastructure development.

Technical Details

The Attack Chain

Stage 1: Initial Access

Exploit CVE-2026-41940 (auth bypass) to gain elevated cPanel/WHM access
No credentials needed due to authentication bypass

Stage 2: Credential Harvesting

Deploy shell script that downloads a Go-based infector from attacker infrastructure
Infrastructure domains include cp.dene.de (observed in active campaigns)
Execute Go infector on compromised cPanel instance

Stage 3: Persistence & Backdoor

SSH public key implant for persistent access
Deploy PHP web shell for file upload/download and RCE
Web shell injects JavaScript to serve a fake cPanel login page
Stolen credentials are ROT13-encoded and exfiltrated to attacker-controlled domain wrned.com

Stage 4: Cross-Platform Infection

Deliver Filemanager backdoor (cross-platform: Windows, macOS, Linux)
Information stealer component collects:

- Bash history

- SSH keys and configurations

- Device fingerprints

- Database passwords

- cPanel virtual aliases (valiases)

Data exfiltrated to Telegram group (operator: "0xWR")

Stage 5: Payload Variety

Observed post-compromise behaviors include:

Cryptocurrency mining
Ransomware deployment
Botnet propagation
Additional remote access trojans

Attribution & Historical Footprint

The threat actor Mr_Rot13 exhibits sophisticated operational security:

ROT13 obfuscation in command-and-control infrastructure (hint at the actor's handle)
C2 domains registered as early as October 2020
PHP-based backdoor component (helper.php) detected on VirusTotal in April 2022
Extremely low detection rates across security products over 6+ years
Implies a patient, well-funded operator with infrastructure maturity

The group has evolved its malware delivery and C2 mechanisms over years, allowing it to evade detection while maintaining access.

Lyrie Assessment

This campaign is emblematic of asymmetric defender disadvantage in 2026:

Why CISOs Must Care

1. Zero Time to Patch: Exploitation began within days of public disclosure. Organizations running cPanel/WHM have had minimal window to apply CVE-2026-41940 patches. By the time patches are deployed, attackers have already established persistent footholds via Stage 3 & 4.

2. Post-Compromise Persistence Complexity: The multi-stage chain means detection requires visibility at multiple layers:

- Anomalous outbound connections (Go infector downloads)

- Unexpected SSH key insertions

- PHP web shell execution (often masked in legitimate traffic)

- Credential injection anomalies

- Telegram API calls (unusual for cPanel environments)

Traditional EDR/XDR misses this if deployed only on endpoints, not on infrastructure management layers.

3. Supply Chain Position: Compromised cPanel instances are the trust anchor for entire hosting environments. A single breached cPanel can yield access to hundreds or thousands of hosted domains/customers. For managed service providers and hosting companies, this is an existential incident.

4. Agentic Inference Risk: The Filemanager backdoor's cross-platform execution and command-and-control via Telegram means an attacker can weaponize a cPanel compromise to pivot into customer networks dynamically. An autonomous defense system must detect and respond to lateral movement before the attacker's agentic layer triggers mass deployment.

5. Identity & Credential Theft at Scale: The ROT13-encoded credential harvesting suggests the attacker is building a credential warehouse—perfect for identity-based attacks, supply-chain pivots, and future campaigns against customers of the compromised hosting provider.

Autonomous Defense Requirement

Lyrie's autonomous response layer must:

Detect anomalous outbound activity from cPanel/WHM processes (Go infector downloads, Telegram C2)
Flag SSH key insertion outside normal provisioning workflows
Monitor for web shell execution in unexpected file paths (PHP files in temp/cache directories)
Correlate credential exfiltration with unauthorized access patterns
Isolate compromised instances before lateral movement escalates

Recommended Actions

For cPanel/WHM Operators

1. Immediate: Apply CVE-2026-41940 security patches (if available) or disable remote WHM access until patched

2. Forensics: Audit all SSH keys, PHP files, and recent shell script execution on cPanel instances

3. Threat Hunt: Search for:

- cp.dene.de or wpsock.com DNS queries

- Outbound connections to wrned.com (ROT13 C2)

- Telegram API calls from cPanel daemons

- Recent PHP file creation/modification in non-standard directories

4. Isolation: Segment cPanel infrastructure from customer networks pending full remediation

5. Credential Reset: Force password resets for all cPanel/WHM accounts; rotate API keys

For Hosting Providers & Managed Service Providers

1. Notify customers immediately if their instances were running vulnerable cPanel versions

2. Provide detection signatures for Filemanager backdoor and Stage 2 Go infector artifacts

3. Implement network-wide detection for Telegram exfiltration channels

4. Deploy zero-trust access for customer domains—require re-authentication post-incident

For CISOs at Lyrie's Scale

Continuous monitoring of third-party cPanel infrastructure (if applicable)
Incident response playbook for compromise of managed hosting platforms
Agentic containment rules: Auto-block Telegram APIs, terminate suspicious SSH sessions, quarantine outbound exfiltration