Security researchers have identified a previously untracked threat actor conducting attacks against government and military organizations in Southeast Asia, while also targeting a smaller set of managed service providers (MSPs) and hosting companies across multiple countries, including the Philippines, Laos, Canada, South Africa, and the United States. The campaign hinges on the exploitation of a recently disclosed, high‑impact vulnerability in cPanel.
According to findings from Ctrl‑Alt‑Intel, the activity was first observed on May 2, 2026, and centers on abuse of CVE‑2026‑41940. This vulnerability, affecting both cPanel and WebHost Manager (WHM), allows attackers to bypass authentication controls, potentially granting remote, elevated access to the administration interface of affected systems.
Targeting and attack infrastructure
The offensive operations have been traced primarily to the IP address 95.111.250[.]175. Initial targeting focused heavily on government and military domains associated with the Philippines (including *.mil.ph and *.ph) and Laos (*.gov.la). In parallel, the actor scanned and attacked selected MSP and hosting provider environments using publicly available proof‑of‑concept exploit code.
Beyond the cPanel exploitation, Ctrl‑Alt‑Intel revealed that the same actor had previously compromised an Indonesian defense‑sector training portal using a custom exploit chain. This earlier intrusion combined authenticated SQL injection with remote code execution, suggesting a higher level of operational capability than simple opportunistic exploitation. Notably, the attacker already possessed valid login credentials for the targeted portal.
Exploitation details
Ctrl‑Alt‑Intel explained that the exploit script relied on hard‑coded credentials and bypassed the portal’s CAPTCHA protections in a non‑traditional way. Instead of solving the CAPTCHA challenge, the script extracted the expected CAPTCHA response directly from the server‑generated session cookie, effectively neutralizing the defense mechanism.
Once authenticated, the attacker moved laterally within the application to a document‑management feature. The vulnerable input was the field used to store document names, which the actor injected with malicious SQL code when submitting requests to the document‑save endpoint. This enabled database manipulation and ultimately facilitated remote code execution within the environment.
Post‑compromise activity and persistence
Further examination revealed that the attacker leveraged the AdaptixC2 command‑and‑control framework to remotely manage compromised systems. To maintain long‑term access, the actor deployed tools such as OpenVPN and Ligolo, allowing persistent connectivity and internal network pivoting.
According to Ctrl‑Alt‑Intel, the threat actor constructed a durable access layer using a combination of OpenVPN tunnels, Ligolo routing, and systemd‑based persistence mechanisms. This access was subsequently used to fan out into internal networks and exfiltrate a large collection of sensitive documents linked to China’s railway sector, indicating possible espionage motivations.
Broader exploitation of the cPanel flaw
Attribution for the campaign remains unclear. However, the activity aligns with broader observations from Censys, which reported evidence that the cPanel vulnerability was weaponized by multiple unrelated actors within 24 hours of public disclosure. Observed exploitation includes the deployment of Mirai botnet variants and a ransomware family known as Sorry, highlighting rapid criminal adoption.
Supporting this assessment, data from the Shadowserver Foundation indicates that around 44,000 IP addresses believed to be compromised through CVE‑2026‑41940 were observed conducting scanning and brute‑force activity against Shadowserver honeypots on April 30, 2026. By May 3, that number had dropped sharply to approximately 3,540, suggesting containment efforts or attacker migration.
Mitigation guidance
In response to the escalating threat, cPanel has released an updated version of its detection script, designed to improve accuracy and reduce false positives during compromise assessment. Administrators are strongly urged to apply available patches immediately, review systems for any indicators of compromise (IoCs), and carry out full cleanup procedures where malicious activity is detected.
Given the speed and scale at which the vulnerability has been weaponized, delaying remediation significantly increases the risk of unauthorized access, data compromise, and downstream exploitation within connected environments.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
