- Attacker identified as Mr_Rot13 exploits critical cPanel flaw (CVE-2024-41940) allowing remote authentication bypass and system takeover
- Deploys Filemanager backdoor via Go-based infector that steals SSH keys, login credentials, implants cross-platform backdoor
- Campaign involves over 300,000 attacker IPs globally (primarily from Germany, US, Brazil, Netherlands) with low detection rates for six years
A sophisticated cybercriminal operation has been leveraging a critical vulnerability in cPanel’s WebHost Manager (WHM) for weeks, enabling widespread server compromises. According to a new report from QiAnXin’s XLab, the flaw tracked as CVE-2024-41940 has been actively exploited since its public disclosure in late May.
Monitoring data indicates more than 300,000 attacker source IPs worldwide are currently involved in automated attacks targeting this vulnerability. Researchers note these IPs are distributed globally, primarily originating from Germany, the United States, Brazil, the Netherlands, other regions. The threat actor behind the campaign, identified as Mr_Rot13, has been operating with remarkable stealth for approximately six years.
The attack sequence begins with exploitation of the cPanel flaw to deploy a backdoor named Filemanager on compromised systems. Further analysis uncovered a shell script that downloads a Go-based infector designed to implant the compromised cPanel system with an SSH public key for persistent access, along with dropping a PHP web shell. This web shell then injects JavaScript code to serve a customized login page that steals credentials and transmits them to an attacker-controlled server encoded using the ROT13 cipher.
Once transmitted, the attack chain culminates with deployment of a cross-platform backdoor capable of infecting Windows, macOS and Linux systems. The infector also collects sensitive information including bash history, SSH data, device details, database passwords, and cPanel virtual aliases. Collected data is sent to a 3-member Telegram group created by a user named “0xWR.
There are signs that the threat actor has been operating silently in the shadows for years. This assessment is based on the fact that the command-and-control (C2) domain embedded in the JavaScript code has been put to use in a PHP-based backdoor uploaded to the VirusTotal platform in April 2022. The domain was first registered in October 2020. “Over the six years from 2020 to the present, the detection rate of Mr_Rot13’s related samples and infrastructure across security products has remained extremely low,” XLab said.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Tesla’s $420 Price Includes Free Optimus: Piper
- Google Threat Intelligence Group has confirmed that cybercriminals are using AI to develop zero-day exploits targeting a popular open-source web administration tool. This marks the first time Google has identified AI-assisted zero-day development in the wild.Cybercriminals used an AI model to discover and weaponize a zero-day vulnerability in a popular open-source web administration tool, according to Google’s Threat Intelligence Group.In a report published Monday, Google said the flaw let attackers bypass two-factor authentication and warned that the attackers were preparing a mass exploitation campaign before the company intervened. It is the first time Google has confirmed AI-assisted zero-day development in the wild.“As the coding capabilities of AI models advance, we continue to observe adversaries increasingly leverage these tools as expert-level force multipliers for vulnerability research and exploit development, including for zero-day vulnerabilities,” Google wrote. While these tools empower defensive research, they also lower the barrier for adversaries to reverse-engineer applications and develop sophisticated and AI-generated exploits.The report comes as researchers and governments warn that AI models are accelerating cyberattacks by helping hackers find vulnerabilities and generate malware, and automate exploit development.Though frontier LLMs struggle to navigate complex enterprise authorization logic, they have an increasing ability to perform contextual reasoning and effectively reading the developer’s intent to correlate the 2FA enforcement logic with the contradictions of its hard-coded exceptions,” the report said. This capability can allow models to surface dormant logic errors that appear functionally correct to traditional scanners but are strategically broken from a security perspective.According to Google, the unnamed attackers used AI to identify a logic flaw where the software trusted a condition that bypassed its two-factor authentication protections. Unlike traditional scanners that search for broken code or crashes, the AI analyzed how the software was intended to work and detected the contradiction, allowing attackers to bypass the security check without breaking the encryption itself.“AI-driven coding has accelerated the development of infrastructure suites and polymorphic malware by adversaries,” Google wrote. These AI-enabled development cycles facilitate defense evasion by enabling the creation of obfuscation networks and the integration of AI-generated decoy logic in malware that we have linked to suspected Russia-nexus threat actors.The report says that threat actors from China and North Korea are using AI to find software weaknesses, while Russian groups are using it to hide their malware.These actors have leveraged sophisticated approaches toward AI-augmented vulnerability discovery and exploitation, beginning with persona-driven jailbreaking attempts and the integration of specialized and high-fidelity security datasets to augment their vulnerability discovery and exploitation workflows,” Google wrote.While Google’s report aimed to warn about the growing risk of AI-powered cyberattacks, some researchers argue that the fear is overblown. A separate study led by Cambridge University of over 90,000 cybercrime forum threads found that most criminals were using AI for spam and phishing rather than vibe coding sophisticated cyberattacks.“The role of jailbroken LLMs (Dark AI) as instructors is also overstated, given the prominence of subculture and social learning in initiation – new users value the social connections and community identity involved in learning hacking and cybercrime skills as much as the knowledge itself,” the study said. Our initial results, therefore, suggest that even bemoaning the rise of the Viber criminal may be overstating the level of disruption to date.Despite Cambridge’s findings, however, the Threat Intelligence Group’s report also comes as Google has faced security concerns tied to AI-powered tools. In April, the company patched a prompt injection flaw in its Antigravity AI coding platform that researchers said could let attackers execute commands on a developer’s machine through manipulated prompts.“Although we do not believe Gemini was used based on the structure and content of these exploits, we have high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability,” Google researchers wrote.Earlier this year, Anthropic restricted access to its Claude Mythos model after tests showed it could identify thousands of previously unknown software flaws. The findings also add to growing concerns that AI models are reshaping cybersecurity by helping both defenders and attackers find vulnerabilities faster.“As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus,” Mozilla wrote in a blog post in April. “For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it’s even possible to keep up.”
- BitMine Slows ETH Buys; Lee Sets $62K Price Target
- Crypto Conference After-Party at Strip Club Sparks Backlash
- Indian Stock Market Plunge: Sensex Crashes 1200 Points
