A threat actor named Mr_Rot13 has been attributed to exploiting a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments, according to QiAnXin XLab’s new report. The vulnerability, CVE-2026-41940, affects cPanel and WebHost Manager (WHM) and can result in authentication bypass enabling remote control of the panel.
The ongoing exploitation has involved more than 2,000 attacker source IPs worldwide, with activity observed across regions including Germany, the United States, Brazil, and the Netherlands, XLab researchers said.
The infection chain uses a shell script that downloads a Go-based infector from a remote server to implant an SSH public key for persistent access and drops a PHP web shell to facilitate file upload/download and remote command execution; the web shell injects JavaScript to serve a customised login page and siphon credentials to an attacker-controlled system encoded with ROT13.
The Filemanager backdoor is delivered via a shell script from the wpsock[.]com domain, and the backdoor provides file management, remote command execution and shell functionality, with C2 activity tied to a PHP-based backdoor and a cross-platform backdoor capable of infecting Windows, macOS and Linux.