A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of MSPs and hosting providers in the Philippines, Laos, Canada, South Africa and the United States, by exploiting the recently disclosed cPanel vulnerability CVE-2026-41940.
The activity, detected by Ctrl-Alt-Intel on 2 May 2026, involves the abuse of this vulnerability to gain elevated control of the cPanel/WHM environment, with the attack originating from the IP address 95.111.250[.]175 and targeting Philippine and Lao government domains as well as MSPs and hosting providers.
Ctrl-Alt-Intel noted the threat actor used a separate custom exploit chain for an Indonesian defence sector training portal, employing authenticated SQL injection and remote code execution after obtaining portal credentials. The group is said to have used the AdapdixC2 framework, alongside OpenVPN and Ligolo, to maintain persistent access and pivot inside internal networks, exfiltrating a substantial corpus of Chinese railway-sector documents.
Per Censys, the cPanel flaw is being weaponised by multiple third parties within 24 hours of disclosure, including Mirai botnet variants and a ransomware strain called Sorry, according to the analysis quoted by The Hacker News. Shadowserver Foundation data show at least 44,000 IPs likely compromised via CVE-2026-41940 were observed scanning and brute-forcing honeypots on 30 April 2026, with the figure reported as 3,540 by 3 May.