A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of a critical cPanel authentication bypass with a custom zero-day exploit chain against an Indonesian defense-sector portal and ultimately pivoting to exfiltrate over 4GB of sensitive Chinese railway documents.<\/p>\n
The campaign\u2019s initial access vector centered on CVE-2026-41940<\/a>, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40.<\/p>\n The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the Exploitation was confirmed in the wild<\/a> before cPanel\u2019s patch was released on April 28, 2026, and CISA subsequently added it to its Known Exploited Vulnerabilities catalog. In this campaign, cPanel exploitation represented only one component of a broader and more alarming operation uncovered from an exposed command-and-control (C2) server<\/a>.<\/p>\n More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal.<\/p>\n The threat actor already possessed valid credentials and bypassed the portal\u2019s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective without solving it.<\/p>\n Once inside, the actor targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint.<\/p>\n The SQL injection was then escalated to full operating system access by abusing PostgreSQL\u2019s Command output was captured to The exploit script, named For command and control, the actor deployed an AdaptixC2 payload<\/a> (ELF binary named A PowerShell reverse shell ( To ensure durable, persistent access, the actor combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on The Ligolo proxy agent was installed under a hidden directory Routing through this pivot infrastructure, the actor reached an internal host at In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.<\/p>\n Ctrl-Alt-Intel stops short of firm attribution, though the victimology South-East Asian military and government targets combined with theft of Chinese state-adjacent transport-sector data points to a deliberate regional intelligence collection effort.<\/p>\n The Shadowserver Foundation confirmed<\/a> on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.<\/p>\n Organizations running cPanel\/WHM are urged to patch to the latest version immediately and audit server logs for signs of CRLF-based session manipulation.<\/p>\n Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0 Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nwhostmgrsession<\/code> cookie and gain full root-level administrative access without valid credentials.<\/p>\ncPanel Vulnerability Exploited<\/strong><\/h2>\n
COPY ... TO PROGRAM<\/code> capability, which allows the database server to spawn arbitrary shell commands.<\/p>\n\/tmp<\/code>, base64-encoded, and re-ingested into application records using pg_read_file()<\/code> \u2014 a stealthy, file-read-based exfiltration channel entirely native to the database layer.<\/p>\nexploit_siak_bahasa.py<\/code> (SHA-256: 974E272A...<\/code>), contained Vietnamese-language comments, though Ctrl-Alt-Intel explicitly cautions<\/a> this is insufficient for attribution and may represent deliberate misdirection.<\/p>\n1<\/code>) configured to beacon to delicate-dew.serveftp[.]com:4455<\/code>, with server-side telemetry corroborating the C2 address at 95.111.250[.]175<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgAM4XwaZn51dGF0Qb8cbcrMFI8TGE5uiBcItwy8IqCwR7WzpT4nmhHpOfk0sCAn25KFcn29q04qrc9cDiAbEGsWGj4z30INH5mCqYo-jBDfLMufFOTwiSS8cKpJ1eyRK1jys_XF1iwhD-ZLX10fZpOZv7wm8_rkMa3YWM0AAQlafSL6OXq-UPTeRvhOzL7\/s16000\/adap%2520c2.webp?ssl=1\")
init.ps1<\/code>) was also recovered, establishing a TCP connection back to the same IP on port 4444.<\/p>\n95.111.250[.]175:1194\/UDP<\/code> as early as April 8, 2026, routing through the 10.8.0.0\/24<\/code> client subnet.<\/p>\n\/usr\/local\/bin\/.netmon\/<\/code>, masqueraded as a systemd service named systemd-update.service<\/code>, and configured to restart automatically \u2014 providing persistent re-entry even after reboots.<\/p>\n10.16.13.88<\/code> and deployed exfil_docs_v2.sh<\/code>, a custom SFTP-based exfiltration script.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0-foGr67kHGnjD4NxdEvlVguMvQik-rxK00qQrxruvbSIYbKAvwtSxCQm0GBoYCjbaQPxTLwL1SD4jBDSbzhWFU8cfBJF9g21cNt2jwSPyzLya0vzh9yYFxxqLojyRWjBQL6kFXVa_BhcfldQMlf6japGz1AFw5ap8sXXcgkYGA09vslBVBrybB8mDiZ9\/s16000\/Data%2520Exfil.webp?ssl=1\")
.pptx<\/code>, .pdf<\/code>, .docx<\/code>, and .xlsx<\/code> formats dating from 2020 to 2024.<\/p>\nIndicators of Compromise (IoCs)<\/strong><\/h2>\n
\n\n
\n \nIndicator<\/th>\n Type<\/th>\n Context<\/th>\n<\/tr>\n<\/thead>\n \n 95.111.250[.]175<\/code><\/td>\nIP Address<\/td>\n Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure<\/td>\n<\/tr>\n \n delicate-dew.serveftp[.]com<\/code><\/td>\nDomain<\/td>\n Domain associated with the same infrastructure; present in recovered certificate material<\/td>\n<\/tr>\n \n systemd-update.service<\/code><\/td>\nFile Name<\/td>\n Masqueraded Linux persistence service<\/td>\n<\/tr>\n \n \/usr\/local\/bin\/.netmon\/systemd-helper<\/code><\/td>\nFile Path<\/td>\n Hidden Linux reverse-connect payload path<\/td>\n<\/tr>\n \n init.ps1<\/code><\/td>\nFile Name<\/td>\n PowerShell reverse shell payload<\/td>\n<\/tr>\n \n 64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325<\/code><\/td>\nSHA-256<\/td>\n Hash of init.ps1<\/code>\n<\/td>\n<\/tr>\n\n exploit_siak_bahasa.py<\/code><\/td>\nFile Name<\/td>\n Custom authenticated SQLi \u2192 PostgreSQL RCE exploit<\/td>\n<\/tr>\n \n 974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD<\/code><\/td>\nSHA-256<\/td>\n Hash of exploit_siak_bahasa.py<\/code>\n<\/td>\n<\/tr>\n\n exfil_docs_v2.sh<\/code><\/td>\nFile Name<\/td>\n Custom SFTP \/ lftp document exfiltration script<\/td>\n<\/tr>\n \n 734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F<\/code><\/td>\nSHA-256<\/td>\n Hash of exfil_docs_v2.sh<\/code>\n<\/td>\n<\/tr>\n\n 1<\/code><\/td>\nFile Name<\/td>\n Linux ELF reverse-connect \/ pivot payload recovered alongside the custom exploit chain<\/td>\n<\/tr>\n \n 1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF<\/code><\/td>\nSHA-256<\/td>\n Hash of ELF payload 1<\/code>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n[.]<\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n