A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of a critical cPanel authentication bypass with a custom zero-day exploit chain against an Indonesian defense-sector portal and ultimately pivoting to exfiltrate over 4GB of sensitive Chinese railway documents.
The campaign’s initial access vector centered on CVE-2026-41940, a critical CVSS 9.8 authentication bypass in cPanel and WHM affecting all versions after v11.40.
The flaw exploits CRLF injection in the login and session-loading processes, allowing an unauthenticated attacker to manipulate the whostmgrsession cookie and gain full root-level administrative access without valid credentials.
Exploitation was confirmed in the wild before cPanel’s patch was released on April 28, 2026, and CISA subsequently added it to its Known Exploited Vulnerabilities catalog. In this campaign, cPanel exploitation represented only one component of a broader and more alarming operation uncovered from an exposed command-and-control (C2) server.
cPanel Vulnerability Exploited
More significantly, Ctrl-Alt-Intel recovered a custom exploit targeting an Indonesian Defence sector training portal.
The threat actor already possessed valid credentials and bypassed the portal’s CAPTCHA mechanism by reading the expected CAPTCHA value directly from the server-issued session cookie, rendering the challenge completely ineffective without solving it.
Once inside, the actor targeted a document-management function, injecting SQL into the document-name field via a vulnerable save endpoint.
The SQL injection was then escalated to full operating system access by abusing PostgreSQL’s COPY ... TO PROGRAM capability, which allows the database server to spawn arbitrary shell commands.
Command output was captured to /tmp, base64-encoded, and re-ingested into application records using pg_read_file() — a stealthy, file-read-based exfiltration channel entirely native to the database layer.
The exploit script, named exploit_siak_bahasa.py (SHA-256: 974E272A...), contained Vietnamese-language comments, though Ctrl-Alt-Intel explicitly cautions this is insufficient for attribution and may represent deliberate misdirection.
For command and control, the actor deployed an AdaptixC2 payload (ELF binary named 1) configured to beacon to delicate-dew.serveftp[.]com:4455, with server-side telemetry corroborating the C2 address at 95.111.250[.]175.
A PowerShell reverse shell (init.ps1) was also recovered, establishing a TCP connection back to the same IP on port 4444.
To ensure durable, persistent access, the actor combined OpenVPN and Ligolo into a layered pivot stack. An OpenVPN server was deployed on 95.111.250[.]175:1194/UDP as early as April 8, 2026, routing through the 10.8.0.0/24 client subnet.
The Ligolo proxy agent was installed under a hidden directory /usr/local/bin/.netmon/, masqueraded as a systemd service named systemd-update.service, and configured to restart automatically — providing persistent re-entry even after reboots.
Routing through this pivot infrastructure, the actor reached an internal host at 10.16.13.88 and deployed exfil_docs_v2.sh, a custom SFTP-based exfiltration script.
In total, 110 files (~4.37GB) were stolen from the China Railway Society Electrification Committee spanning .pptx, .pdf, .docx, and .xlsx formats dating from 2020 to 2024.
Among the most sensitive materials were 2021 financial workbooks containing full names, PRC national ID numbers, bank account details, and phone numbers.
Ctrl-Alt-Intel stops short of firm attribution, though the victimology South-East Asian military and government targets combined with theft of Chinese state-adjacent transport-sector data points to a deliberate regional intelligence collection effort.
The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors.
Organizations running cPanel/WHM are urged to patch to the latest version immediately and audit server logs for signs of CRLF-based session manipulation.
Indicators of Compromise (IoCs)
| Indicator | Type | Context |
|---|---|---|
95.111.250[.]175 | IP Address | Primary attacker VPS; OpenVPN, reverse shell, and pivot infrastructure |
delicate-dew.serveftp[.]com | Domain | Domain associated with the same infrastructure; present in recovered certificate material |
systemd-update.service | File Name | Masqueraded Linux persistence service |
/usr/local/bin/.netmon/systemd-helper | File Path | Hidden Linux reverse-connect payload path |
init.ps1 | File Name | PowerShell reverse shell payload |
64674342041873DBB18B1DD9BB1CA391AF85B5E755DEFFB4C1612EF668349325 | SHA-256 | Hash of init.ps1 |
exploit_siak_bahasa.py | File Name | Custom authenticated SQLi → PostgreSQL RCE exploit |
974E272AD1DC7D5AADC3C7A48EC00EB201D04BA59EC5B0B17C2F8E9CD2F9C9CD | SHA-256 | Hash of exploit_siak_bahasa.py |
exfil_docs_v2.sh | File Name | Custom SFTP / lftp document exfiltration script |
734F0D04DC2683E19E629B8EC7F55349B5BCFF4EB4F2F36F6ADBBDE1C023A24F | SHA-256 | Hash of exfil_docs_v2.sh |
1 | File Name | Linux ELF reverse-connect / pivot payload recovered alongside the custom exploit chain |
1CFEADF01D24182362887B7C5F683E8BDB0E84CDDCE03E3B7564B2D9AB5D15CF | SHA-256 | Hash of ELF payload 1 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
