A new threat actor has emerged, actively compromising government and military organizations in Southeast Asia, with additional focus on a select group of managed service providers (MSPs) and hosting services located in the Philippines, Laos, Canada, South Africa, and the United States. The attackers are exploiting a recently identified vulnerability in cPanel, a popular web hosting control panel.
Observed by Ctrl-Alt-Intel on May 2, 2026, this malicious activity centers around the exploitation of CVE-2026-41940, a severe vulnerability that allows for authentication bypass in cPanel and WebHost Manager (WHM). This flaw can enable remote attackers to take elevated control of the control panel, posing significant risks to affected systems.
The campaign appears to be primarily targeting specific domains tied to the government and military operations in the Philippines (*.mil.ph and *.ph) and Laos (*.gov.la). Utilizing known publicly available proof-of-concept (PoC) scripts, the attackers have been able to exploit these vulnerabilities effectively.
Further investigation revealed that prior to the cPanel vulnerabilities being targeted, the same threat actor executed a custom exploit chain against an Indonesian defense sector training portal. This involved leveraging a combination of authenticated SQL injection and remote code execution techniques, illustrating advanced capabilities. Notably, the attacker was already in possession of valid credentials for the portal, which facilitated easier exploitation.
According to Ctrl-Alt-Intel, “The script incorporates hard-coded credentials to bypass the portal’s CAPTCHA by retrieving the expected CAPTCHA value directly from the server’s session cookie.” Once authenticated, the attacker exploited a vulnerable document management function to inject SQL commands via the document name field during submission.
Analysis further indicates that the actor employs the AdaptixC2 command-and-control framework to manage compromised endpoints remotely. Tools like OpenVPN and Ligolo are used to maintain persistent access within the victim’s internal networks.
“The actor established a robust access layer utilizing OpenVPN, Ligolo, and systemd persistence to enable entry into internal networks, subsequently exfiltrating a significant collection of documents related to the Chinese railway sector,” Ctrl-Alt-Intel reported.
While the identity of the group behind these operations remains uncertain, this development coincides with findings from Censys, which indicated that the cPanel vulnerability is being quickly exploited by various actors within just 24 hours of its disclosure. Reports suggest some groups are deploying variants of the Mirai botnet and ransomware labeled as Sorry.
Data from the Shadowserver Foundation reveals that as many as 44,000 IP addresses appear to have been compromised via CVE-2026-41940, with a significant number participating in scanning and brute-force activities against honeypots as early as April 30, 2026. This number has since decreased to around 3,540 by May 3.
In response to this critical situation, cPanel has released an updated version of its detection script aimed at alleviating false positives. Users are urged to implement the latest patches promptly and take necessary measures to secure their environments when indicators of compromise (IoCs) are detected.