Threat actors
Mr_Rot13
crimewarevia MISP
1 CVE attributed
Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020. They utilize the Rot13 algorithm for obfuscation and have demonstrated a low detection rate across security products, indicating advanced operational security. Their activities include exploiting CVE-2026-41940 to deliver malicious payloads and maintaining covert communication via Telegram. The group has shown a particular focus on WordPress as a target, with ongoing operations that suggest a sophisticated threat actor rather than opportunistic attackers.
Attributed CVEs1
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2026-41940 | cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. | CRITICAL9.8 | 91%p100 | KEV+RWeaponized | 2026-05-06 |