Skip to main content
First-party intel
rfxnResearch
Signal[IOC]

CVE-2026-41940 threat feed

Live block list, IOC catalog, and integration code for cPanel/WHM SessionScribe. Refreshed off the maldet host_meta enrichment intake as the campaign moves from cpsess session-token replay through pattern-letter recon, websocket shells, and post-disclosure cleanup.

Block list (.txt)Full IOC bundle (.json)CSVField notes (full research)Active incident? Get help
Active attacker IPs

545

49 T1 / 496 T2
Hosts on IOC fingerprint

6,505

confirmed compromise indicators
cPanel cohort

150,859

SessionScribe relevance set
Event emits for CVE-2026-41940

2.7M

recon + active attack events

Pre-disclosure exploitation surfaces back to November 2025; the visible mass-arc opened 2026-04-11 with Pattern X probes, vendor patch landed 2026-04-28, and the public PoC on 2026-04-30 triggered the scanning wave. The cohort is now in operator-on-keyboard mode: websocket shells, pattern-letter recon, and ransomware drops on hosts that patched late or partial.

Attacker source map

T1 · 61 IPs · 63,800 events

CVE-2026-41940 attacker origins

Snapshot 2026-05-08 · 24h rolling

critical
high
medium
low

Attacker-source breakdown

USUnited States
38%
RURussia
14%
DEGermany
11%
BGBulgaria
9%
NLNetherlands
8%
INIndia
6%
CNChina
5%
VNVietnam
3%
BRBrazil
3%
XXOther
3%

Attacker IP block list

T1 · 61 IPs · 63,800 events

Source IPs surfaced across the SessionScribe incident with role attribution from session and access-log evidence. IP-level signals (independent of host-verdict logic) survive verdict-precision changes downstream.

IPRoleCountryProviderEventsNotes
45.82.78.104scannerBGITL Bulgaria (AS50113)20596Worst-offender by event volume; sampled across the whole fleet
80.75.212.14websocket-shellDEFirst Colo GmbH (AS44066)14705Pattern E primary; broad-scope exploitation cohort
94.231.206.39scannerRUSelectel (AS41842)8948TLS handshake to :2095, badpass exploit
142.93.43.26websocket-shellUSDigitalOcean (AS14061)4439Pattern E + badpass at scale
27.124.2.46otherSGCTG Server Ltd (AS152194)2441Wide host fan-out, single event per host (probe sweep)
206.189.2.13scannerUSDigitalOcean (AS14061)2102leakix scanner; UA leakix/2.0
157.245.204.205scannerUSDigitalOcean (AS14061)1751leakix scanner; UA leakix/2.0
23.234.107.207otherUStzulo (AS11878)1399Sweep-style 1:1 host:event ratio
68.233.238.100badpassUSHivelocity (AS29802)1353Badpass exploit; UA python-requests/2.33.1
136.244.66.225websocket-shellUSVultr (AS20473)1327Session-origin pool, 2xx success
146.19.24.235badpassNLServerius (AS50673)1306Recurring badpass origin
45.92.1.188loaderRULanit-Tercom (AS204957)470Pattern J operator: udev/systemd persistence
35.87.51.116otherUSAmazon AWS (AS16509)368AWS-origin sweep
23.234.90.73otherUStzulo (AS11878)360Sibling to 23.234.107.207 cohort
5.252.177.207badpassDEStark Industries (AS39378)273Prior-run badpass exploit
188.245.229.68otherDEHetzner (AS24940)217Hetzner sweep
137.184.254.164otherUSDigitalOcean (AS14061)158DigitalOcean sweep cohort
38.146.25.154createacctUSCogent (AS174)121Pattern D createacct source; Operator A; UA Go-http-client/1.1
167.71.199.22otherUSDigitalOcean (AS14061)108DigitalOcean recon
79.139.159.38otherRUMGTS (AS25513)107European recon origin
8.208.15.225otherSGAlibaba Cloud (AS45102)104Alibaba Cloud probe
103.139.178.93otherINHostRoyale (AS203020)89APAC sweep
38.248.90.73otherUSLimestone Networks (AS46475)89Sweep cohort
45.77.245.141otherUSVultr (AS20473)77Vultr probe
178.128.55.132otherUSDigitalOcean (AS14061)65DO probe
168.149.22.87otherSASaudi Telecom (AS25019)56Saudi Telecom recon origin
212.227.154.65otherDEIONOS (AS8560)43IONOS-origin probe
173.208.162.41otherUSWholeSale Internet (AS32097)42Recon
161.35.60.228otherUSDigitalOcean (AS14061)36DO probe
77.68.87.67otherGBIONOS (AS8560)36IONOS UK recon
3.208.183.244otherUSAmazon AWS (AS14618)35AWS-origin probe
149.102.229.144websocket-shellDEClouvider (AS62240)33Operator B (24x120) websocket Shell pivot
159.223.155.255post-cve-2xxUSDigitalOcean (AS14061)32Post-CVE 2xx wave (DigitalOcean cluster)
67.205.166.246post-cve-2xxUSDigitalOcean (AS14061)31Post-CVE 2xx wave (DigitalOcean cluster)
137.184.77.0badpassUSDigitalOcean (AS14061)24Badpass exploit
194.180.48.253otherBGMevSpace (AS201814)23MevSpace bulletproof-style recon
206.189.227.202post-cve-2xxUSDigitalOcean (AS14061)23Post-CVE 2xx wave (DigitalOcean cluster)
23.168.216.185otherUSHayashimo (AS399935)23Recon
102.89.76.43otherNGVCG (AS29465)21African recon origin
112.193.253.250otherCNChina Unicom (AS4837)19China Unicom backbone recon
67.205.134.215post-cve-2xxUSDigitalOcean (AS14061)19Post-CVE 2xx wave (DigitalOcean cluster)
213.21.222.164otherLVVDC (AS199152)17VDC-USA / Latvia recon
45.130.83.196otherNLSecFirewall (AS206092)16SecFirewall recon
45.143.82.1otherDEPacketHub (AS136787)16PacketHub recon
87.106.33.160otherDEIONOS (AS8560)16IONOS recon
129.121.86.200otherUSOracle Cloud (AS31898)14Oracle Cloud recon
216.24.219.90otherUSSecFirewall (AS206092)14SecFirewall recon (sibling)
23.106.129.26otherCAIT7 Networks (AS25820)14IT7 recon
54.151.201.177otherUSAmazon AWS (AS14618)14AWS recon
146.70.14.26otherROM247 (AS9009)13M247 recon
192.81.219.190websocket-shellUSDigitalOcean (AS14061)49Pattern D enum + websocket Shell (24x80); Operator A
183.82.160.147websocket-shellINBharti Airtel (AS9498)38Operator C (24x134); recurring across the window
87.121.84.78binary-hostBGITL Bulgaria (AS50113)31Pattern C nuclear.x86 binary host
68.183.190.253ransomware-c2USDigitalOcean (AS14061)27Pattern A .sorry encryptor C2
87.121.84.243binary-hostBGITL Bulgaria (AS50113)19Pattern C nuclear.x86 binary host (sibling to .78)
147.182.224.216loaderUSDigitalOcean (AS14061)8atdu perl-bot loader; 8 hosts on a single hosting fleet
157.245.235.139loaderUSDigitalOcean (AS14061)5xminstall xmrig loader
57.129.119.218miner-poolDEHetzner (AS24940)4xmrig stratum relay (port 80); active ESTAB observed
45.140.17.40c2LVScalaxy (AS58061)7codeItems3 PHP cron-bot C2; per-host API token header
45.140.17.23c2LVScalaxy (AS58061)6codeItems3 sibling C2 (same /24)
209.14.84.37c2USPerformive (AS46562)3Novel implant C2 (port 1220, non-standard)

IOC catalog

Runtime indicators surfaced by the ps-hunt cohort. Wallet matches and C2-IP-in-ESTAB are zero-FP and gate COMPROMISED on first hit.

C2 / attacker domains

u.lihq.megsocket-relay

Custom GSocket relay (operator-controlled; replaces public gsocket.io for OPSEC)

raw.flameblox.combinary-host

Pattern C/H binary drop

cp.dene.de.comransomware-c2

Pattern K Cloudflare-fronted C2 (do not blackhole at edge)

auto.c3pool.orgminer-pool

c3pool stratum endpoint (port 13333); legitimate pool, used by xmrig payloads

pool.supportxmr.comminer-pool

supportxmr RandomX pool (port 3333); used by `./https` masquerade variant

download.c3pool.orgloader-host

setup_c3pool_miner.sh installer host (legitimate domain, abused as drop)

Cryptocurrency wallets (XMR)

c3pool
423Gvxk9VMFH3FUyurUNqFKrXvMgoWAJwM98uXbiCubJafBUUyvyeRLgQos3JSMfRBFtb8iFCahTx6K6nes7TkP75gXdoDj

Fleet pivot indicator; shared across hosts using identical config.json from setup_c3pool_miner.sh

supportxmr · worker=ngintil
4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL

RandomX worker; tied to specific operator branch (./https masquerade)

c3pool
47eqhWc4e88EVdqbnwEJaD5aSzYvV2BT29dm

Truncated in ps; distinct operator (./python3 masquerade variant); auto.c3pool.org:13333

Masquerade procnames

defunctGSocket reverse-shell persistence loop

argv[0] mismatch + ~/.config/htop/defunct.dat keyfile

gs-dbusGSocket variant

argv[0] mismatch + ~/.config/dbus/gs-dbus.dat keyfile

lscgibGSocket variant

argv[0] mismatch + ~/.config/htop/lscgib.dat keyfile

/dev/shm/.gsActive gs-netcat listener (renamed)

args -l -s <secret> -e /bin/bash -q

./.ld-linux.soxmrig (RandomX cryptominer)

Dynamic linker is a library, never executable; argv[0] = malware

./httpsxmrig

argv[0] masquerade with -a rx/0 -o pool.* flags

./python3xmrig

argv[0] masquerade with --donate-level / --threads / pool URL

x8z9up8vxl06vNovel C2 implant

Random high-entropy procname + ESTAB to 209.14.84.37:1220; comm vs argv[0] mismatch

fxuff0x9uu0fwNovel C2 implant (sibling)

Sibling masquerade name on the same PID; 108 KB RSS, static-linked

nuclear.x86Mirai variant (Pattern C)

Direct binary match; common second-stage drop on Pattern X compromise

system_profiled_servicePattern I profile.d backdoor

/etc/profile.d/ hook + /usr/local/bin/system-service binary

cdrom-id-helperPattern J udev / systemd persistence

udev / systemd unit drops a non-stock binary out-of-band

File-path indicators

~/.config/htop/defunct.datcritical

GSocket relay secret-key file (default mask)

~/.config/htop/lscgib.datcritical

GSocket relay secret-key file (lscgib variant)

~/.config/dbus/gs-dbus.datcritical

GSocket relay secret-key file (dbus variant)

/dev/shm/.gscritical

Active gs-netcat listener binary (renamed); -l -s <secret> -e /bin/bash -q

/root/sshdcritical

Pattern A .sorry file-encryption ransomware (sha256 prefix 2fc0a056); reimage

/root/c3pool/xmrighigh

xmrig cryptominer (c3pool default install path)

/root/c3pool/config.jsonhigh

xmrig config (contains wallet + pool)

/root/moneroocean/xmrighigh

xmrig cryptominer (moneroocean variant)

/root/moneroocean/config.jsonhigh

xmrig config (moneroocean pool variant)

/tmp/codeItems3high

PHP cron-bot stage-2 payload (executes with disable_functions='')

/tmp/seobot.ziphigh

Pattern H seobot SEO defacement archive

/tmp/.<hex32+>high

Generic webshell drop (PHP executed by apache/cpsrvd user)

/usr/local/bin/system-servicehigh

Pattern I profile.d backdoor binary (PERS-ProfileD)

/etc/profile.d/*.sh injecting unknown PATH/exechigh

Pattern I persistence shim

/etc/udev/rules.d/*.rules with ACTION exechigh

Pattern J udev-facility persistence

/etc/systemd/system/*.service with non-stock ExecStarthigh

Pattern J systemd-unit persistence

nuclear.<arch>high

Pattern C Mirai variant (multi-arch drop: x86, x86_64, arm, mips)

Pattern catalog

Kill-chain pattern letters used by the rfxn advisory. Each letter maps to a specific operator behavior or runtime payload observed across the cohort.

LetterLabelScopeOne-liner
RGSocket revshellRuntimeLive /dev/shm/.gs gs-netcat listener; operator can drop into /bin/bash on connect
Dsptadm reseller persistencePersistencecreateacct enumeration, WHM_FullRoot token theft, account-log scrubbing
CMirai (nuclear.<arch>)DestructionMulti-arch Mirai variant (x86 / x86_64 / arm / mips); also xmrig staging vector
A.sorry encryptorDestruction/root/sshd file-encryption ransomware; reimage required (sha256 2fc0a056)
PPHP cron-botPersistence/tmp/codeItems3 loader executing with disable_functions=''; per-host API token
BDBWipeDestructionMySQL / system DB destroyed; BTC ransom note delivery
MMiner (xmrig)Destructionxmrig camouflaged as ./.ld-linux.so / ./https / ./python3; c3pool / supportxmr
IProfileD backdoorPersistencesystem_profiled_service.sh + /usr/local/bin/system-service binary
HSeoBotPersistence/tmp/seobot.zip drops + malware-affiliate SEO defacement
JUdev / SystemdPersistencecdrom-id-helper drop via udev or systemd unit; out-of-band binary fetch
EWebsocket ShellAttemptPattern X forged-session exploitation (entry vector) — cpsess[N]/websocket/Shell
XPattern X attemptAttemptQuarantined session evidence (CRLF token forging, badpass)

Integration

Drop the feed straight into firewall and SIEM tooling. Re-pull on a cron schedule. Every 30 to 60 minutes is plenty, the attacker IP set evolves slowly.

APF (Advanced Policy Firewall)

# Drop the rfxn signal CVE-2026-41940 attacker block list
curl -s https://signal.rfxn.com/feed/v1/cve-2026-41940/blocklist.txt \
  | grep -v '^#' >> /etc/apf/deny_hosts.rules
apf -r

iptables / nftables

# Block list straight into iptables
for ip in $(curl -s https://signal.rfxn.com/feed/v1/cve-2026-41940/blocklist.txt | grep -v '^#'); do
  iptables -I INPUT -s "$ip" -j DROP
done
iptables-save > /etc/sysconfig/iptables

ipset (high-volume)

ipset create rfxn-cve hash:ip hashsize 4096
for ip in $(curl -s https://signal.rfxn.com/feed/v1/cve-2026-41940/blocklist.txt | grep -v '^#'); do
  ipset add rfxn-cve "$ip" -exist
done
iptables -I INPUT -m set --match-set rfxn-cve src -j DROP

JSON / SIEM ingestion

# Full IOC bundle: IPs, C2 domains, wallets, procnames, file paths
curl -s https://signal.rfxn.com/feed/v1/cve-2026-41940/blocklist.json | jq '.attacker_ips[]'

Timeline

2025-11-25

First pre-disclosure exploitation

First confirmed pre-disclosure exploitation event in the corpus (a customer host)

2025-12-22

Second pre-disclosure event

24×134 websocket-Shell dimension fingerprint observed four months before public disclosure

2026-03-10

Pre-disclosure cpsess GET as root

192.63.172.156 lands a pre-disclosure cpsess GET as root on a customer host

2026-04-11

Canonical first probe

First Pattern X probe in the modern corpus; the visible exploitation arc begins

2026-04-28

Vendor disclosure / patch release

cPanel security advisory issued; 11.130 patch floor lands

2026-04-30

Public PoC / scanning wave

Public PoC release; mass scanning and post-CVE 2xx wave begins

2026-05-05

Runtime-track hunt

ps-hunt finds 153 hosts with active malware in the cohort; many CLEAN-rated by the session-forensic engine

2026-05-08

Live corpus snapshot

2.69M maldet host_meta emits; 11,508 IOC fingerprints; 12,138 hosts hit by tracked attacker IPs

Emergency visibility & IR retainer

Compromised hosts on your fleet right now?

We sweep your fleet against the live SessionScribe IOC set, surface the cpIOC cohort, classify operator-occupied vs terminal-monetization, and hand back a per-host action plan. Pre-positioned IR retainers cover the next CVE before it surfaces.

Active incident? Get emergency visibilitySet up an IR retainerIOC Console (private beta)

Deeper reading

The full incident write-up (pre-disclosure exploitation arc, operator profiles, worked kill-chain on a single host, the sleeper-attacker doctrine, and what is surfacing post-patch) is published in the rfxn research log.

Field notesReverse-engineering write-up