{ "cve": "CVE-2026-41940", "product": "cPanel/WHM SessionScribe", "snapshot": "2026-05-08", "source": "https://signal.rfxn.com/cve-2026-41940", "license": "CC BY 4.0", "fleet_stats": { "total_hosts": 77107, "cpY_hosts": 150859, "cpIOC_hosts": 6505, "ioc_fingerprints": 11508, "known_bad_ips": 256, "hosts_hit": 12138 }, "attacker_ips": [ { "ip": "45.82.78.104", "tier": 2, "role": "scanner", "known_bad": true, "country": "BG", "asn": "AS50113", "provider": "ITL Bulgaria", "events": 20596, "hosts": 5904, "signals": "smp \u00b7 sampled access-log", "notes": "Worst-offender by event volume; sampled across the whole fleet" }, { "ip": "80.75.212.14", "tier": 1, "role": "websocket-shell", "known_bad": true, "country": "DE", "asn": "AS44066", "provider": "First Colo GmbH", "events": 14705, "hosts": 4562, "signals": "PE pattern E websocket recon \u00b7 cps cpsess hits \u00b7 smp", "notes": "Pattern E primary; broad-scope exploitation cohort" }, { "ip": "94.231.206.39", "tier": 2, "role": "scanner", "known_bad": true, "country": "RU", "asn": "AS41842", "provider": "Selectel", "events": 8948, "hosts": 5766, "signals": "smp \u00b7 sampled access-log", "notes": "TLS handshake to :2095, badpass exploit" }, { "ip": "142.93.43.26", "tier": 1, "role": "websocket-shell", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 4439, "hosts": 1310, "signals": "PE pattern E websocket recon \u00b7 cps cpsess hits \u00b7 smp", "notes": "Pattern E + badpass at scale" }, { "ip": "27.124.2.46", "tier": 2, "role": "other", "known_bad": false, "country": "SG", "asn": "AS152194", "provider": "CTG Server Ltd", "events": 2441, "hosts": 2440, "signals": "oth \u00b7 other signal w/ ip", "notes": "Wide host fan-out, single event per host (probe sweep)" }, { "ip": "206.189.2.13", "tier": 2, "role": "scanner", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 2102, "hosts": 544, "signals": "smp \u00b7 sampled access-log", "notes": "leakix scanner; UA leakix/2.0" }, { "ip": "157.245.204.205", "tier": 2, "role": "scanner", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 1751, "hosts": 444, "signals": "smp \u00b7 sampled access-log", "notes": "leakix scanner; UA leakix/2.0" }, { "ip": "23.234.107.207", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS11878", "provider": "tzulo", "events": 1399, "hosts": 1399, "signals": "oth \u00b7 other signal w/ ip", "notes": "Sweep-style 1:1 host:event ratio" }, { "ip": "68.233.238.100", "tier": 1, "role": "badpass", "known_bad": true, "country": "US", "asn": "AS29802", "provider": "Hivelocity", "events": 1353, "hosts": 545, "signals": "cps cpsess hits \u00b7 smp", "notes": "Badpass exploit; UA python-requests/2.33.1" }, { "ip": "136.244.66.225", "tier": 1, "role": "websocket-shell", "known_bad": true, "country": "US", "asn": "AS20473", "provider": "Vultr", "events": 1327, "hosts": 350, "signals": "PE pattern E websocket recon \u00b7 cps cpsess hits \u00b7 smp", "notes": "Session-origin pool, 2xx success" }, { "ip": "146.19.24.235", "tier": 1, "role": "badpass", "known_bad": true, "country": "NL", "asn": "AS50673", "provider": "Serverius", "events": 1306, "hosts": 470, "signals": "cps cpsess hits \u00b7 oth \u00b7 smp", "notes": "Recurring badpass origin" }, { "ip": "45.92.1.188", "tier": 1, "role": "loader", "known_bad": true, "country": "RU", "asn": "AS204957", "provider": "Lanit-Tercom", "events": 470, "hosts": 179, "signals": "PE pattern E websocket recon \u00b7 cps cpsess hits \u00b7 oth \u00b7 smp", "notes": "Pattern J operator: udev/systemd persistence" }, { "ip": "35.87.51.116", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS16509", "provider": "Amazon AWS", "events": 368, "hosts": 368, "signals": "oth \u00b7 other signal w/ ip", "notes": "AWS-origin sweep" }, { "ip": "23.234.90.73", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS11878", "provider": "tzulo", "events": 360, "hosts": 360, "signals": "oth \u00b7 other signal w/ ip", "notes": "Sibling to 23.234.107.207 cohort" }, { "ip": "5.252.177.207", "tier": 2, "role": "badpass", "known_bad": true, "country": "DE", "asn": "AS39378", "provider": "Stark Industries", "events": 273, "hosts": 72, "signals": "smp \u00b7 sampled access-log", "notes": "Prior-run badpass exploit" }, { "ip": "188.245.229.68", "tier": 2, "role": "other", "known_bad": false, "country": "DE", "asn": "AS24940", "provider": "Hetzner", "events": 217, "hosts": 217, "signals": "oth \u00b7 other signal w/ ip", "notes": "Hetzner sweep" }, { "ip": "137.184.254.164", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 158, "hosts": 158, "signals": "oth \u00b7 other signal w/ ip", "notes": "DigitalOcean sweep cohort" }, { "ip": "38.146.25.154", "tier": 2, "role": "createacct", "known_bad": true, "country": "US", "asn": "AS174", "provider": "Cogent", "events": 121, "hosts": 30, "signals": "smp \u00b7 sampled access-log", "notes": "Pattern D createacct source; Operator A; UA Go-http-client/1.1" }, { "ip": "167.71.199.22", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 108, "hosts": 108, "signals": "oth \u00b7 other signal w/ ip", "notes": "DigitalOcean recon" }, { "ip": "79.139.159.38", "tier": 2, "role": "other", "known_bad": false, "country": "RU", "asn": "AS25513", "provider": "MGTS", "events": 107, "hosts": 107, "signals": "oth \u00b7 other signal w/ ip", "notes": "European recon origin" }, { "ip": "8.208.15.225", "tier": 2, "role": "other", "known_bad": false, "country": "SG", "asn": "AS45102", "provider": "Alibaba Cloud", "events": 104, "hosts": 104, "signals": "oth \u00b7 other signal w/ ip", "notes": "Alibaba Cloud probe" }, { "ip": "103.139.178.93", "tier": 2, "role": "other", "known_bad": false, "country": "IN", "asn": "AS203020", "provider": "HostRoyale", "events": 89, "hosts": 89, "signals": "oth \u00b7 other signal w/ ip", "notes": "APAC sweep" }, { "ip": "38.248.90.73", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS46475", "provider": "Limestone Networks", "events": 89, "hosts": 89, "signals": "oth \u00b7 other signal w/ ip", "notes": "Sweep cohort" }, { "ip": "45.77.245.141", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS20473", "provider": "Vultr", "events": 77, "hosts": 77, "signals": "oth \u00b7 other signal w/ ip", "notes": "Vultr probe" }, { "ip": "178.128.55.132", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 65, "hosts": 65, "signals": "oth \u00b7 other signal w/ ip", "notes": "DO probe" }, { "ip": "168.149.22.87", "tier": 2, "role": "other", "known_bad": false, "country": "SA", "asn": "AS25019", "provider": "Saudi Telecom", "events": 56, "hosts": 56, "signals": "oth \u00b7 other signal w/ ip", "notes": "Saudi Telecom recon origin" }, { "ip": "212.227.154.65", "tier": 2, "role": "other", "known_bad": false, "country": "DE", "asn": "AS8560", "provider": "IONOS", "events": 43, "hosts": 43, "signals": "oth \u00b7 other signal w/ ip", "notes": "IONOS-origin probe" }, { "ip": "173.208.162.41", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS32097", "provider": "WholeSale Internet", "events": 42, "hosts": 42, "signals": "oth \u00b7 other signal w/ ip", "notes": "Recon" }, { "ip": "161.35.60.228", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 36, "hosts": 36, "signals": "oth \u00b7 other signal w/ ip", "notes": "DO probe" }, { "ip": "77.68.87.67", "tier": 2, "role": "other", "known_bad": false, "country": "GB", "asn": "AS8560", "provider": "IONOS", "events": 36, "hosts": 36, "signals": "oth \u00b7 other signal w/ ip", "notes": "IONOS UK recon" }, { "ip": "3.208.183.244", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14618", "provider": "Amazon AWS", "events": 35, "hosts": 35, "signals": "oth \u00b7 other signal w/ ip", "notes": "AWS-origin probe" }, { "ip": "149.102.229.144", "tier": 2, "role": "websocket-shell", "known_bad": true, "country": "DE", "asn": "AS62240", "provider": "Clouvider", "events": 33, "hosts": 9, "signals": "smp \u00b7 sampled access-log", "notes": "Operator B (24x120) websocket Shell pivot" }, { "ip": "159.223.155.255", "tier": 2, "role": "post-cve-2xx", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 32, "hosts": 20, "signals": "smp \u00b7 sampled access-log", "notes": "Post-CVE 2xx wave (DigitalOcean cluster)" }, { "ip": "67.205.166.246", "tier": 2, "role": "post-cve-2xx", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 31, "hosts": 23, "signals": "smp \u00b7 sampled access-log", "notes": "Post-CVE 2xx wave (DigitalOcean cluster)" }, { "ip": "137.184.77.0", "tier": 2, "role": "badpass", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 24, "hosts": 19, "signals": "smp \u00b7 sampled access-log", "notes": "Badpass exploit" }, { "ip": "194.180.48.253", "tier": 2, "role": "other", "known_bad": false, "country": "BG", "asn": "AS201814", "provider": "MevSpace", "events": 23, "hosts": 23, "signals": "oth \u00b7 other signal w/ ip", "notes": "MevSpace bulletproof-style recon" }, { "ip": "206.189.227.202", "tier": 2, "role": "post-cve-2xx", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 23, "hosts": 17, "signals": "smp \u00b7 sampled access-log", "notes": "Post-CVE 2xx wave (DigitalOcean cluster)" }, { "ip": "23.168.216.185", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS399935", "provider": "Hayashimo", "events": 23, "hosts": 23, "signals": "oth \u00b7 other signal w/ ip", "notes": "Recon" }, { "ip": "102.89.76.43", "tier": 2, "role": "other", "known_bad": false, "country": "NG", "asn": "AS29465", "provider": "VCG", "events": 21, "hosts": 21, "signals": "oth \u00b7 other signal w/ ip", "notes": "African recon origin" }, { "ip": "112.193.253.250", "tier": 2, "role": "other", "known_bad": false, "country": "CN", "asn": "AS4837", "provider": "China Unicom", "events": 19, "hosts": 19, "signals": "oth \u00b7 other signal w/ ip", "notes": "China Unicom backbone recon" }, { "ip": "67.205.134.215", "tier": 2, "role": "post-cve-2xx", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 19, "hosts": 14, "signals": "smp \u00b7 sampled access-log", "notes": "Post-CVE 2xx wave (DigitalOcean cluster)" }, { "ip": "213.21.222.164", "tier": 2, "role": "other", "known_bad": false, "country": "LV", "asn": "AS199152", "provider": "VDC", "events": 17, "hosts": 17, "signals": "oth \u00b7 other signal w/ ip", "notes": "VDC-USA / Latvia recon" }, { "ip": "45.130.83.196", "tier": 2, "role": "other", "known_bad": false, "country": "NL", "asn": "AS206092", "provider": "SecFirewall", "events": 16, "hosts": 16, "signals": "oth \u00b7 other signal w/ ip", "notes": "SecFirewall recon" }, { "ip": "45.143.82.1", "tier": 2, "role": "other", "known_bad": false, "country": "DE", "asn": "AS136787", "provider": "PacketHub", "events": 16, "hosts": 16, "signals": "oth \u00b7 other signal w/ ip", "notes": "PacketHub recon" }, { "ip": "87.106.33.160", "tier": 2, "role": "other", "known_bad": false, "country": "DE", "asn": "AS8560", "provider": "IONOS", "events": 16, "hosts": 16, "signals": "oth \u00b7 other signal w/ ip", "notes": "IONOS recon" }, { "ip": "129.121.86.200", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS31898", "provider": "Oracle Cloud", "events": 14, "hosts": 14, "signals": "oth \u00b7 other signal w/ ip", "notes": "Oracle Cloud recon" }, { "ip": "216.24.219.90", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS206092", "provider": "SecFirewall", "events": 14, "hosts": 14, "signals": "oth \u00b7 other signal w/ ip", "notes": "SecFirewall recon (sibling)" }, { "ip": "23.106.129.26", "tier": 2, "role": "other", "known_bad": false, "country": "CA", "asn": "AS25820", "provider": "IT7 Networks", "events": 14, "hosts": 14, "signals": "oth \u00b7 other signal w/ ip", "notes": "IT7 recon" }, { "ip": "54.151.201.177", "tier": 2, "role": "other", "known_bad": false, "country": "US", "asn": "AS14618", "provider": "Amazon AWS", "events": 14, "hosts": 14, "signals": "oth \u00b7 other signal w/ ip", "notes": "AWS recon" }, { "ip": "146.70.14.26", "tier": 2, "role": "other", "known_bad": false, "country": "RO", "asn": "AS9009", "provider": "M247", "events": 13, "hosts": 13, "signals": "oth \u00b7 other signal w/ ip", "notes": "M247 recon" }, { "ip": "192.81.219.190", "tier": 1, "role": "websocket-shell", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 49, "hosts": 12, "signals": "PE pattern E \u00b7 cps \u00b7 smp", "notes": "Pattern D enum + websocket Shell (24x80); Operator A" }, { "ip": "183.82.160.147", "tier": 1, "role": "websocket-shell", "known_bad": true, "country": "IN", "asn": "AS9498", "provider": "Bharti Airtel", "events": 38, "hosts": 8, "signals": "PE pattern E \u00b7 cps \u00b7 smp", "notes": "Operator C (24x134); recurring across the window" }, { "ip": "87.121.84.78", "tier": 1, "role": "binary-host", "known_bad": true, "country": "BG", "asn": "AS50113", "provider": "ITL Bulgaria", "events": 31, "hosts": 7, "signals": "oth \u00b7 loader fetch", "notes": "Pattern C nuclear.x86 binary host" }, { "ip": "68.183.190.253", "tier": 1, "role": "ransomware-c2", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 27, "hosts": 12, "signals": "oth \u00b7 ESTAB to C2", "notes": "Pattern A .sorry encryptor C2" }, { "ip": "87.121.84.243", "tier": 1, "role": "binary-host", "known_bad": true, "country": "BG", "asn": "AS50113", "provider": "ITL Bulgaria", "events": 19, "hosts": 5, "signals": "oth \u00b7 loader fetch", "notes": "Pattern C nuclear.x86 binary host (sibling to .78)" }, { "ip": "147.182.224.216", "tier": 1, "role": "loader", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 8, "hosts": 8, "signals": "oth \u00b7 loader fetch", "notes": "atdu perl-bot loader; 8 hosts on a single hosting fleet" }, { "ip": "157.245.235.139", "tier": 1, "role": "loader", "known_bad": true, "country": "US", "asn": "AS14061", "provider": "DigitalOcean", "events": 5, "hosts": 5, "signals": "oth \u00b7 loader fetch", "notes": "xminstall xmrig loader" }, { "ip": "57.129.119.218", "tier": 1, "role": "miner-pool", "known_bad": true, "country": "DE", "asn": "AS24940", "provider": "Hetzner", "events": 4, "hosts": 4, "signals": "oth \u00b7 ESTAB to pool", "notes": "xmrig stratum relay (port 80); active ESTAB observed" }, { "ip": "45.140.17.40", "tier": 1, "role": "c2", "known_bad": true, "country": "LV", "asn": "AS58061", "provider": "Scalaxy", "events": 7, "hosts": 3, "signals": "oth \u00b7 ESTAB to C2", "notes": "codeItems3 PHP cron-bot C2; per-host API token header" }, { "ip": "45.140.17.23", "tier": 1, "role": "c2", "known_bad": true, "country": "LV", "asn": "AS58061", "provider": "Scalaxy", "events": 6, "hosts": 1, "signals": "oth \u00b7 ESTAB to C2", "notes": "codeItems3 sibling C2 (same /24)" }, { "ip": "209.14.84.37", "tier": 1, "role": "c2", "known_bad": true, "country": "US", "asn": "AS46562", "provider": "Performive", "events": 3, "hosts": 1, "signals": "oth \u00b7 ESTAB to C2", "notes": "Novel implant C2 (port 1220, non-standard)" } ], "c2_domains": [ { "domain": "u.lihq.me", "kind": "gsocket-relay", "notes": "Custom GSocket relay (operator-controlled)" }, { "domain": "raw.flameblox.com", "kind": "binary-host", "notes": "Pattern C/H binary drop" }, { "domain": "cp.dene.de.com", "kind": "ransomware-c2", "notes": "Pattern K Cloudflare-fronted C2 (do not blackhole at edge)" }, { "domain": "auto.c3pool.org", "kind": "miner-pool", "notes": "c3pool stratum endpoint (port 13333)" }, { "domain": "pool.supportxmr.com", "kind": "miner-pool", "notes": "supportxmr RandomX pool (port 3333)" }, { "domain": "download.c3pool.org", "kind": "loader-host", "notes": "setup_c3pool_miner.sh installer host" } ], "wallets": [ { "address": "423Gvxk9VMFH3FUyurUNqFKrXvMgoWAJwM98uXbiCubJafBUUyvyeRLgQos3JSMfRBFtb8iFCahTx6K6nes7TkP75gXdoDj", "pool": "c3pool", "notes": "Fleet pivot indicator; shared across hosts using identical config.json" }, { "address": "4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL", "pool": "supportxmr", "worker": "ngintil", "notes": "RandomX worker" }, { "address": "47eqhWc4e88EVdqbnwEJaD5aSzYvV2BT29dm", "pool": "c3pool", "notes": "Truncated in ps; distinct operator" } ], "masquerade_procnames": [ { "name": "defunct", "reality": "GSocket reverse-shell persistence", "keyfile": "~/.config/htop/defunct.dat" }, { "name": "gs-dbus", "reality": "GSocket variant", "keyfile": "~/.config/dbus/gs-dbus.dat" }, { "name": "lscgib", "reality": "GSocket variant", "keyfile": "~/.config/htop/lscgib.dat" }, { "name": "/dev/shm/.gs", "reality": "Active gs-netcat listener", "detection": "args -l -s -e /bin/bash -q" }, { "name": "./.ld-linux.so", "reality": "xmrig (RandomX)", "detection": "Dynamic linker is a library; argv[0] = malware" }, { "name": "./https", "reality": "xmrig", "detection": "argv[0] masquerade with -a rx/0 -o pool.* flags" }, { "name": "./python3", "reality": "xmrig", "detection": "argv[0] masquerade with --donate-level / pool URL" }, { "name": "x8z9up8vxl06v", "reality": "Novel C2 implant", "detection": "Random high-entropy procname + ESTAB to 209.14.84.37:1220" }, { "name": "nuclear.x86", "reality": "Mirai variant (Pattern C)", "detection": "Direct binary match" }, { "name": "system_profiled_service", "reality": "Pattern I profile.d backdoor", "detection": "/etc/profile.d/ hook + /usr/local/bin/system-service binary" }, { "name": "cdrom-id-helper", "reality": "Pattern J udev / systemd persistence", "detection": "udev / systemd unit drops a non-stock binary" } ], "file_path_iocs": [ { "pattern": "~/.config/htop/defunct.dat", "what": "GSocket relay secret-key file (default mask)", "severity": "critical" }, { "pattern": "~/.config/htop/lscgib.dat", "what": "GSocket relay secret-key file (lscgib variant)", "severity": "critical" }, { "pattern": "~/.config/dbus/gs-dbus.dat", "what": "GSocket relay secret-key file (dbus variant)", "severity": "critical" }, { "pattern": "/dev/shm/.gs", "what": "Active gs-netcat listener binary (renamed)", "severity": "critical" }, { "pattern": "/root/sshd", "what": "Pattern A .sorry file-encryption ransomware (sha256 prefix 2fc0a056)", "severity": "critical" }, { "pattern": "/root/c3pool/xmrig", "what": "xmrig cryptominer (c3pool default install path)", "severity": "high" }, { "pattern": "/root/c3pool/config.json", "what": "xmrig config (contains wallet + pool)", "severity": "high" }, { "pattern": "/root/moneroocean/xmrig", "what": "xmrig cryptominer (moneroocean variant)", "severity": "high" }, { "pattern": "/root/moneroocean/config.json", "what": "xmrig config (moneroocean pool variant)", "severity": "high" }, { "pattern": "/tmp/codeItems3", "what": "PHP cron-bot stage-2 payload", "severity": "high" }, { "pattern": "/tmp/seobot.zip", "what": "Pattern H seobot SEO defacement archive", "severity": "high" }, { "pattern": "/tmp/.", "what": "Generic webshell drop (PHP)", "severity": "high" }, { "pattern": "/usr/local/bin/system-service", "what": "Pattern I profile.d backdoor binary", "severity": "high" }, { "pattern": "nuclear.", "what": "Pattern C Mirai variant (multi-arch drop)", "severity": "high" } ] }