Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Reports describe the flaw as a pre-authentication bypass that can allow attackers to forge an authenticated session and reach WHM-level access without valid credentials... The most visible attack linked to CVE-2026-41940 is Sorry ransomware... There is also a separate campaign that deployed a Mirai botnet variant called nuclear.x86 after initial compromise. | The most visible attack linked to CVE-2026-41940 is Sorry ransomware. The cPanel flaw is being mass-exploited to breach websites and encrypt data in Sorry ransomware attacks.
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Reports describe the flaw as a pre-authentication bypass that can allow attackers to forge an authenticated session and reach WHM-level access without valid credentials.
Security researchers at XLab have outlined an active attack campaign targeting CVE-2026-41940... The vulnerability allows an attacker to log into a cPanel server without a username or password, effectively handing them administrator control over the cPanel host system
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based Linux ransomware encryptor deployed after cPanel/WHM compromise via CVE-2026-41940. It encrypts hosted website files across multi-tenant environments, appends the .sorry extension, and drops a README.md ransom note in each folder.
Ransomware associated with the .sorry file extension was observed encrypting files on compromised cPanel/WHM hosts and appending the .sorry suffix. Open directories exposed renamed files and ransom notes instructing victims to contact the operators via qTox.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.