Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

helper.php

helper.php is a PHP backdoor linked in the reporting to the threat cluster tracked as Mr_Rot13. Researchers identified it as a PHP file uploaded to VirusTotal in 2022 that at the time reportedly had zero antivirus detections. The sample communicated with the domain wrned.com, specifically reporting request metadata to https://wrned.com/api.php?t=3&c=1, and used XOR-based string obfuscation. The reporting states that the malicious code was hidden inside a legitimate WordPress file, indicating WordPress was also targeted by the same actor. Attribution to Mr_Rot13 is based on infrastructure overlap with later activity using wrned.com and related infrastructure. A reported sample hash for helper.php is MD5 2286f126ab4740ccf2595ad1fa0c615c.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Mr_Rot13

Researchers discovered a PHP backdoor named helper.php linked to the Mr_Rot13 threat group and uploaded to VirusTotal in 2022 with no antivirus detections.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Persistence

2 techniques
T1505Server Software ComponentEvidence2

Researchers discovered a PHP backdoor named helper.php linked to the Mr_Rot13 threat group... The malware hid malicious code inside a legitimate WordPress file using XOR string obfuscation

T1505.003Web ShellEvidence2

Implant PHP Webshell... The Webshell's download address is https:]//cp.dene.de.]com/cpanel.py , with a local path of /usr/local/cpanel/cgi-sys/cpanel.py. This Webshell is named Cpanel-Python and supports file upload & browsing, as well as remote command execution.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence3

The server address uggcf://jearq.pbz/ybt.cuc?g=3 is encoded using ROT13... The obfuscation method is a simple string XOR concatenation obfuscation... after de-obfuscation it becomes str_rot13.

T1036MasqueradingEvidence1

这个所谓的Update文件就是我们前文所说的Payload感染器... Webshell的名字是Cpanel-Python... 名为helper的PHP文件... 前部分代码来自WordPress系统文件options.php

Collection

1 technique
T1005Data from Local SystemEvidence1

The backdoor collected data such as URLs, IP addresses, parameters, and user-agent details, then sent them to a remote command-and-control server.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence1

The C2 responds with a JSON object... reports key parameters... back to the C2 address https://wrned.]com/api.php?t=3&c=1 ... sends this sensitive data via an AJAX request to a remote server controlled by the attackers.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

...sends this sensitive data via an AJAX request to a remote server controlled by the attackers... The reporting endpoint is https://cp.dene.de[.]com/collect.php .

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
security affairsNews
May 12, 2026
Attackers exploit cPanel CVE-2026-41940 to deploy Filemanager Backdoor

A PHP backdoor linked to Mr_Rot13 that hides malicious code inside a legitimate WordPress file using XOR string obfuscation, collects victim and request metadata, and communicates with a remote command-and-control server.

Read more
qianxin xlab blogNews
May 11, 2026
秘密活动6年的神秘黑客组织Mr_Rot13正在利用cPanel高危漏洞部署后门木马

A PHP backdoor uploaded to VirusTotal in 2022 that communicates with wrned.com, reports request/environment details to C2, and contains an RC4-encrypted payload whose final functionality could not be fully recovered due lack of valid C2 responses.

Read more
qianxin xlab blogNews
May 11, 2026
Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment

A PHP backdoor linked to wrned.com that reports request metadata to C2 and receives JSON containing values used to validate requests and decrypt a hardcoded RC4-encrypted payload.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.