Mr_Rot13

Mr_Rot13 is a threat actor tracked by QiAnXin XLab and linked to active exploitation of the critical cPanel & WHM authentication bypass vulnerability CVE-2026-41940. The group has been attributed to automated attacks against exposed Linux hosting environments, with researchers reporting more than 2,000 attacker source IPs involved globally. Reported follow-on activity associated with exploitation includes backdoor deployment, credential theft, cryptomining, ransomware, and botnet propagation. In the intrusion chain described in the content, Mr_Rot13 uses a shell script to download a Go-based infector referred to as Payload from infrastructure including cp.dene.de.com. The malware changes the root password, implants an SSH public key for persistence, drops a PHP webshell at /usr/local/cpanel/cgi-sys/cpanel.py, modifies the cPanel login page with malicious JavaScript to steal usernames and passwords, collects bash history, SSH data, device information, database passwords, and valiases data, and exfiltrates data to attacker infrastructure and a Telegram group. The JavaScript hides its credential-theft endpoint using ROT13, decoding to wrned.com. The campaign ultimately installs a cross-platform remote-control trojan/backdoor named Filemanager, delivered via wpsock.com, which supports file management, remote command execution, shell access, and has builds for Linux, Windows, and macOS. XLab states the actor name was derived from the Telegram creator handle "0xWR" and the use of ROT13 obfuscation in the operation. The content also links Mr_Rot13 to older activity involving a PHP backdoor named helper.php that communicated with wrned.com, indicating the group may have operated since at least 2020 and has used stable long-lived infrastructure with low detection rates. The content additionally states that WordPress was also targeted in related activity. Known associated aliases and identifiers mentioned in the content are Mr_Rot13, mr_rot13, and the Telegram handle 0xWR.