A sophisticated threat campaign targeting South-East Asian government and military infrastructure has been uncovered, combining active exploitation of a critical cPanel authentication bypass vulnerability with a custom zero-day exploit chain against an Indonesian defense-sector portal. The operation ultimately resulted in the exfiltration of more than 4GB of sensitive documents from a Chinese railway organization.
Initial Access: CVE-2026-41940 in cPanel and WHM
The campaign’s initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass affecting cPanel and WHM across all versions after v11.40. The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.
Exploitation was confirmed in the wild before cPanel released its emergency patch on April 28, 2026. CISA subsequently added CVE-2026-41940 to its Known Exploited Vulnerabilities catalog. The Shadowserver Foundation confirmed on April 30, 2026, that over 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against honeypot sensors.
The Zero-Day: SQL Injection to OS Command Execution
Beyond the cPanel exploitation, researchers from Ctrl-Alt-Intel uncovered a far more sophisticated component: a custom exploit targeting an Indonesian Defence sector training portal. The threat actor already possessed valid credentials and bypassed the portal’s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective.
Once inside, the attacker targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint. This SQL injection was escalated to full operating system access by abusing PostgreSQL’s COPY … TO PROGRAM capability, which allows the database server to spawn arbitrary shell commands.
- Command output was captured to
/tmp, base64-encoded, and re-ingested into application records usingpg_read_file()— a stealthy, entirely native database exfiltration channel. - The exploit script, named
exploit_siak_bahasa.py(SHA-256: 974E272A…), contained Vietnamese-language comments, though researchers caution this may represent deliberate false-flag misdirection.
Command and Control Infrastructure
For command and control, the actor deployed an AdaptixC2 payload — an ELF binary named 1 — configured to beacon to delicate-dew.serveftp[.]com:4455, with server-side telemetry corroborating the C2 address at 95.111.250[.]175. A PowerShell reverse shell (init.ps1) was also recovered, establishing a TCP connection back to the same IP on port 4444.
Persistent Access and Pivoting
To ensure durable, persistent access, the actor deployed a layered pivot stack combining OpenVPN and Ligolo:
- An OpenVPN server was deployed on
95.111.250[.]175:1194/UDPas early as April 8, 2026, routing through the 10.8.0.0/24 client subnet. - The Ligolo proxy agent was installed under a hidden directory
/usr/local/bin/.netmon/, masqueraded as a systemd service namedsystemd-update.service, and configured to restart automatically on every reboot.
Data Exfiltration: 4.37GB of Sensitive Documents
Routing through this pivot infrastructure to an internal host at 10.16.13.88, the actor deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script. In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee, spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024.
Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.
Indicators of Compromise
- IP Address: 95.111.250[.]175 — Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure
- Domain: delicate-dew.serveftp[.]com — C2 domain
- File: systemd-update.service — Masqueraded Linux persistence service
- Path: /usr/local/bin/.netmon/ — Hidden Linux reverse-connect payload directory
- Hash: 64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325 — init.ps1
Mitigation and Recommended Actions
Organizations running cPanel and WHM must patch to version 4.99.1 or later immediately. Audit server logs for evidence of CRLF-based session manipulation in authentication logs. Review all database-connected web applications for unsanitized user input, particularly in document management and record-save endpoints. Monitor for unexpected PostgreSQL COPY TO PROGRAM usage and outbound SFTP connections to unfamiliar hosts.