Detection Rules — CVE-2026-41940 cPanel Harvester Toolkit — 216.126.227.49

Campaign: OpenDirectory-CVE-2026-41940-cPanel-Harvester-216.126.227.49 Date: 2026-05-17 Author: The Hunters Ledger License: CC BY-NC 4.0 Reference: https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/

Detection Coverage Summary

Evidence posture note: The operator’s port-7777 development server was offline before source code could be persisted. The 37 toolkit SHA256s exist but no byte-level string content is available. YARA string-pattern detection against the toolkit is therefore impossible — this is a fundamental evidence gap, not a coverage gap that additional effort can close. The high-leverage detection content in this file is Sigma (log-based) and Suricata (network-based). Defenders should prioritize deploying the Sigma rules for CVE-2026-41940 exploitation detection and the Suricata signatures for C2 banner hunting.

YARA Rules

Scope limitation: Only one YARA rule is written for this campaign — a hash-based rule for the eight highest-value toolkit files. String-based YARA against the operator toolkit is not possible because source code was never persisted to disk by the hashing platform. The YARA rule below detects these specific files if encountered on disk during forensic investigation of a suspected operator-controlled host or incident-response triage of an acquired disk image. It will not match on victim endpoints.

TOOLKIT_CpanelHarvester41940 — Hash-Based Toolkit File Detection

Detection Priority: HIGH Rationale: Exact-hash matches the eight most forensically significant operator toolkit files including the CVE-2026-41940 orchestrator, Flask C2 dashboard, and Beast-branded phishing-page generator. Any of these hashes on a host under investigation is a definitive match to this operator’s toolkit. ATT&CK Coverage: T1588.005 (Obtain Capabilities: Exploits), T1587.001 (Develop Capabilities: Malware), T1059.006 (Python), T1059.004 (Unix Shell) Confidence: HIGH (hash-based — zero ambiguity when a match occurs) False Positive Risk: NONE — SHA256 hash matches are exact and non-probabilistic. These hashes have zero VirusTotal coverage; they do not appear in any known legitimate software corpus. Deployment: Linux forensic triage, disk-image scanning, incident-response tooling on acquired cPanel/WHM host images. Not suitable for real-time endpoint scanning on victim infrastructure — the toolkit runs on operator-controlled infrastructure, not victim endpoints.

/*
    Name: cPanel Harvester Toolkit — CVE-2026-41940 Operator Files
    Author: The Hunters Ledger
    Date: 2026-05-17
    Identifier: cPanel-Harvester-Toolkit-CVE-2026-41940-216.126.227.49
    Reference: https://the-hunters-ledger.com/hunting-detections/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517-detections/
    License: https://creativecommons.org/licenses/by-nc/4.0/
*/

rule TOOLKIT_CpanelHarvester41940_KnownFiles
{
    meta:
        description = "Detects operator-built cPanel/WHM credential harvester toolkit files associated with CVE-2026-41940 exploitation cluster at 216.126.227.49 (AS14956 RouterHosting). Matches eight highest-value toolkit components by exact SHA256 hash. All hashes are zero-hit on VirusTotal — operator-bespoke tooling with no public coverage."
        author = "The Hunters Ledger"
        date = "2026-05-17"
        reference = "https://the-hunters-ledger.com/hunting-detections/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517-detections/"
        hash_sha256_pipeline41940 = "4b054892b4a5d7811f57562552d1ea0e8ea5bfbf705ceb71e91126482b650a47"
        hash_sha256_livedashboard = "16855dfbb2a8ec40ffa98c5777e598f353e84c4793a0691fa2cb26384e2c23d8"
        hash_sha256_beastdashboard = "0442691db9f9aa7cfdc8f04036f74b4b042dce0101325dd30f5ef4d27aa99d2e"
        hash_sha256_whmhunter = "96babe4f65d33dafcdb2425039012d5b2cf8c01b04d0680c5551482ccea27b64"
        hash_sha256_genbeaastpage = "0330a32ad6cce29a15e238ae1382dc590ff7b2675eef4bdb5b2844c7228bc684"
        hash_sha256_massv8 = "2c92c6d466f33204278d586bcbb4d341bd58362f2c5c904e3164aadf63a236c2"
        hash_sha256_megahuntfast = "c635f3d808953584614e5128e9039f7644ad51cd903e32015f1cfdbaafea122d"
        hash_sha256_harvestwhmv2 = "38f10f41e22192c4f342632f7997e18006eead2610af94712cba3e4220f6bd36"
        family = "cPanel-Harvester-Toolkit-CVE-2026-41940"

    strings:
        /* pipeline-41940.sh — CVE-2026-41940 weaponization orchestrator (10219 bytes) */
        $hash_pipeline = "4b054892b4a5d7811f57562552d1ea0e8ea5bfbf705ceb71e91126482b650a47"
        /* live-dashboard-v10.py — Flask C2 dashboard (34294 bytes) */
        $hash_dashboard = "16855dfbb2a8ec40ffa98c5777e598f353e84c4793a0691fa2cb26384e2c23d8"
        /* beast-dashboard.py — alternate dashboard (14812 bytes) */
        $hash_beast_dash = "0442691db9f9aa7cfdc8f04036f74b4b042dce0101325dd30f5ef4d27aa99d2e"
        /* whm-hunter.py — primary WHM credential harvester (20531 bytes) */
        $hash_whmhunter = "96babe4f65d33dafcdb2425039012d5b2cf8c01b04d0680c5551482ccea27b64"
        /* gen-beast-page.py — phishing page generator (23650 bytes) */
        $hash_genpage = "0330a32ad6cce29a15e238ae1382dc590ff7b2675eef4bdb5b2844c7228bc684"
        /* mass_v8.py — mass scanner v8 (10286 bytes) */
        $hash_massv8 = "2c92c6d466f33204278d586bcbb4d341bd58362f2c5c904e3164aadf63a236c2"
        /* megahunt-fast.sh — mass-hunt orchestration shell (4287 bytes) */
        $hash_megahunt = "c635f3d808953584614e5128e9039f7644ad51cd903e32015f1cfdbaafea122d"
        /* harvest_whm_v2.py — WHM credential harvester v2 (7239 bytes) */
        $hash_harvestv2 = "38f10f41e22192c4f342632f7997e18006eead2610af94712cba3e4220f6bd36"

        /* Operator-distinctive filename strings — for filesystem scan / open-directory hunting */
        $fn_pipeline = "pipeline-41940" ascii wide
        $fn_live_dash = "live-dashboard-v10" ascii wide
        $fn_whm_hunter = "whm-hunter" ascii wide
        $fn_beast_dash = "beast-dashboard" ascii wide
        $fn_beast_page = "gen-beast-page" ascii wide
        $fn_megahunt = "megahunt-fast" ascii wide
        $fn_toolkit_dir = "cpanel-toolkit-export" ascii wide

    condition:
        /* Hash-match branch: any single hash match is definitive */
        (
            $hash_pipeline or $hash_dashboard or $hash_beast_dash or
            $hash_whmhunter or $hash_genpage or $hash_massv8 or
            $hash_megahunt or $hash_harvestv2
        )
        or
        /* Filename-string branch: at least 2 distinctive operator filenames together
           (reduces FP in case someone names a legitimate file similarly — requires 2 of 7) */
        (
            filesize < 50KB and
            2 of ($fn_pipeline, $fn_live_dash, $fn_whm_hunter, $fn_beast_dash,
                  $fn_beast_page, $fn_megahunt, $fn_toolkit_dir)
        )
}

Sigma Rules

Rule 1 — CVE-2026-41940 cPanel CRLF Auth Bypass Attempt (Null Byte in Authorization Header)

Detection Priority: HIGH Rationale: CVE-2026-41940 is a pre-auth CRLF injection in cPanel/WHM’s Authorization Basic header processing (CVSS 9.8). A null byte, carriage-return, or line-feed character injected after the Base64 credential portion is the canonical exploitation indicator. This rule fires on the raw HTTP injection before any session token is issued. ATT&CK Coverage: T1212 (Exploitation for Credential Access), T1190 (Exploit Public-Facing Application) Confidence: HIGH (CVE mechanic is documented; the pattern is specific to CRLF injection) False Positive Risk: LOW — legitimate Authorization: Basic headers do not contain null bytes, CR, or LF characters. Any hit warrants immediate investigation. Potential FP: automated security scanners (Burp Suite, Nuclei) running authorized assessments against cPanel hosts. Deployment: Reverse proxy logs (nginx/Apache/HAProxy) in front of cPanel/WHM; WAF alert logs; any HTTP-aware log pipeline ingesting access logs from port 443/2083/2087.

title: CVE-2026-41940 cPanel WHM CRLF Auth Bypass Attempt - Null Byte in Authorization Header
id: 7f3a2c91-e8d4-4b5a-9c1f-3e6d7a2b0f84
status: test
description: >-
  Detects exploitation attempts targeting CVE-2026-41940, a CVSS 9.8 pre-authentication CRLF
  injection vulnerability in cPanel and WHM (disclosed 2026-04-28). Attackers inject null
  bytes or CRLF sequences into the Authorization Basic header to bypass session validation
  and obtain a forged cpsessXXXX WHM-root token without valid credentials. The operator
  toolkit file pipeline-41940.sh at 216.126.227.49 directly encodes this CVE.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
  - https://nvd.nist.gov/vuln/detail/CVE-2026-41940
  - cve.2026.41940
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.credential-access
  - cve.2026.41940
logsource:
  category: webserver
detection:
  selection_auth_null:
    cs-uri-stem|contains:
      - '/___proxy_subdomain_whm'
      - '/___proxy_subdomain_cpanel'
  selection_auth_header:
    cs-headers|re: 'Authorization:\s*Basic\s+[A-Za-z0-9+/=]*(%00|%0[aAdD]|\x00|\x0a|\x0d)'
  condition: selection_auth_null or selection_auth_header
falsepositives:
  - Authorized penetration testing or security scanning tools (Burp Suite, Nuclei, Metasploit) running assessments against cPanel infrastructure
  - Security researchers probing CVE-2026-41940 in controlled environments
level: high

Rule 2 — CVE-2026-41940 cPanel CRLF Auth Bypass — Expired-Session Token Injection

Detection Priority: HIGH Rationale: The CVE-2026-41940 proof-of-concept (per watchTowr Labs disclosure) uses the literal string expired=1 injected into the Authorization Basic credential portion to trigger the CRLF bypass. This string pattern in a cPanel/WHM Authorization header is a precise, low-FP indicator of PoC-based exploitation. ATT&CK Coverage: T1212 (Exploitation for Credential Access), T1190 (Exploit Public-Facing Application) Confidence: HIGH (exact PoC indicator documented by watchTowr Labs) False Positive Risk: LOW — the string expired=1 is a URL parameter that has no legitimate place inside a Base64-encoded Basic auth credential. Any hit is highly suspicious. Deployment: Reverse proxy logs; WAF alert logs; cPanel access logs (ports 2083, 2087, 443).

title: CVE-2026-41940 cPanel WHM CRLF Auth Bypass - Expired Session Token in Authorization Header
id: a4c8e17b-3f92-4d6e-b08a-5c2d9e4f1a73
status: test
description: >-
  Detects the CVE-2026-41940 PoC-exact exploitation pattern where the string 'expired=1'
  is injected into the Authorization: Basic header credential portion. The cPanel/WHM CRLF
  injection vulnerability interprets this crafted token as an indication of a legitimate
  but expired session, bypassing authentication and issuing a WHM-root cpsessXXXX token.
  This indicator matches the canonical public PoC (assetnote/cpanel2shell-scanner,
  ynsmroztas/cPanelSniper) as well as the operator toolkit at 216.126.227.49.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
  - https://nvd.nist.gov/vuln/detail/CVE-2026-41940
  - cve.2026.41940
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.credential-access
  - cve.2026.41940
logsource:
  category: webserver
detection:
  selection_expired_token:
    cs-headers|contains: 'expired=1'
  filter_legitimate_params:
    cs-uri-query|contains: 'expired=1'
  condition: selection_expired_token and not filter_legitimate_params
falsepositives:
  - URL query parameters containing 'expired=1' in legitimate web applications (filtered out by condition)
  - Authorized security scanning tools probing cPanel installations
level: high

Rule 3 — CVE-2026-41940 Post-Exploit — Successful CRLF Bypass Confirmation in Response

Detection Priority: HIGH Rationale: When CVE-2026-41940 CRLF injection succeeds, the cPanel/WHM response body contains the string msg_code:[expired_session] — an internal server-side confirmation that the injected expired-session token was accepted. Monitoring for this string in outbound HTTP response bodies confirms a successful bypass (as opposed to a failed attempt). ATT&CK Coverage: T1212 (Exploitation for Credential Access), T1190 (Exploit Public-Facing Application) Confidence: MODERATE (response body monitoring requires inline HTTP inspection; not all proxy deployments capture response bodies) False Positive Risk: LOW — msg_code:[expired_session] is a cPanel-internal error string specific to this authentication pathway. It would only appear in normal traffic if a real user encountered a session expiry, not in a response confirming successful exploitation. Deployment: Inline HTTP proxies or WAFs with response-body inspection enabled; NGFW with application-layer DPI; cPanel/WHM error log aggregation.

title: CVE-2026-41940 cPanel WHM CRLF Auth Bypass - Successful Exploitation Confirmation Response
id: 2e8b5d9f-71a3-4c8e-a25b-6f0d3c7e9b12
status: test
description: >-
  Detects the server-side confirmation string 'msg_code:[expired_session]' returned by
  cPanel/WHM after a successful CVE-2026-41940 CRLF authentication bypass. This string
  appears in the HTTP response body when the injected expired-session token is accepted,
  confirming that exploitation succeeded and a forged WHM-root cpsessXXXX token was issued.
  Monitoring this response pattern catches successful exploitation after the initial attempt.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
  - https://nvd.nist.gov/vuln/detail/CVE-2026-41940
  - cve.2026.41940
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.credential-access
  - cve.2026.41940
logsource:
  category: webserver
detection:
  selection_success_body:
    cs-response-body|contains: 'msg_code:[expired_session]'
  condition: selection_success_body
falsepositives:
  - Legitimate cPanel session-expiry responses to real users (distinguish by source IP and request pattern — real users have valid sessions, attackers send forged headers)
  - Security testing in authorized cPanel lab environments
level: critical

Rule 4 — Operator Flask C2 Dashboard Banner — Werkzeug/3.1.8 + /login-2fa Redirect

Detection Priority: HIGH Rationale: The operator’s live C2 dashboard at 216.126.227.49:8888 exposes a specific HTTP Server banner (Werkzeug/3.1.8 Python/3.13.12) combined with a 302 redirect to /login-2fa. This combination is highly distinctive — the Werkzeug development server is not a production deployment tool, and /login-2fa is the operator’s custom-named login path not associated with any known legitimate framework default. Any internet-facing service presenting this exact Server header + redirect target should be treated as a potential peer C2 instance. ATT&CK Coverage: T1071.001 (Application Layer Protocol: Web Protocols), T1219 (Remote Access Software) Confidence: HIGH (directly observed from passive HTTP HEAD against 216.126.227.49:8888 on 2026-05-17) False Positive Risk: LOW — Werkzeug/3.1.8 alone would be medium FP risk (used by many Flask developers); combined with a 302 redirect to /login-2fa the combination is specific. Legitimate Werkzeug applications rarely expose port 8888 on the internet AND use exactly this redirect path simultaneously. Deployment: Network proxy logs; NDR/IDS HTTP header capture; Shodan/Censys continuous monitoring export; threat hunting across web access logs for internet-reachable services.

title: Operator Flask C2 Dashboard - Werkzeug 3.1.8 Banner with /login-2fa Redirect
id: 5c7d1e4a-9b83-4f2c-8e67-1a3f5c8d2b90
status: test
description: >-
  Detects the Flask C2 dashboard operated by the CVE-2026-41940 cPanel harvester cluster
  (216.126.227.49). The server presents HTTP/Server: Werkzeug/3.1.8 Python/3.13.12 with a
  302 redirect to /login-2fa on the initial unauthenticated request. This combination is
  the operator's live credential-harvesting command-and-control infrastructure. The Werkzeug
  development server on an internet-facing port combined with the /login-2fa custom path
  fingerprints this specific operator's deployment pattern. Use for Shodan/Censys hunting
  to identify peer C2 instances with the same deployment template.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.command-and-control
logsource:
  category: proxy
detection:
  selection_werkzeug_banner:
    cs-response-header-server|contains: 'Werkzeug/3.1.8'
  selection_login2fa_redirect:
    cs-response-header-location|contains: '/login-2fa'
  condition: selection_werkzeug_banner and selection_login2fa_redirect
falsepositives:
  - Legitimate Flask developers running Werkzeug 3.1.8 who happened to name their login route /login-2fa (extremely unlikely on internet-exposed port 8888)
  - Security researchers replicating the operator's C2 in a lab environment
level: high

Rule 5 — Operator Parklogic TDS Traffic — pkAId=2143526812 in URL

Detection Priority: HIGH Rationale: The operator’s Parklogic TDS monetization account ID 2143526812 (as pkAId=2143526812) appears in every URL routed through their traffic distribution system. This is the operator’s unique customer account number with Parklogic.com — it is constant across all TDS source-referer domains. Any outbound web request from a monitored network containing this parameter indicates a user was redirected through the operator’s phishing distribution infrastructure. ATT&CK Coverage: T1583.008 (Acquire Infrastructure: Malvertising), T1480 (Execution Guardrails — TDS traffic filtering) Confidence: HIGH (directly observed in multiple TDS URLs across operator’s infrastructure) False Positive Risk: LOW — this is a unique account-level identifier. The probability of collision with a legitimate URL parameter is negligible. Any hit indicates a user reached a URL within the operator’s Parklogic TDS chain. Deployment: Web proxy URL logs; DNS-layer security controls; email gateway URL scanning; outbound HTTP inspection.

title: Operator Parklogic TDS - CVE-2026-41940 cPanel Harvester Affiliate ID in URL
id: 8b2f4e9c-5d17-4a3b-b19e-7c6e2f8a4d51
status: test
description: >-
  Detects outbound web requests containing the Parklogic TDS affiliate account ID
  pkAId=2143526812, which is the monetization account number for the CVE-2026-41940 cPanel
  harvester operator at 216.126.227.49. This parameter appears in every URL within the
  operator's traffic distribution system (TDS) that routes users from spoof landing pages
  through to phishing destinations (Office 365, multi-brand consumer phishing). A hit
  indicates a user or system reached a URL within the operator's phishing distribution chain.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.command-and-control
logsource:
  category: proxy
detection:
  selection_tds_id:
    cs-uri-query|contains: 'pkAId=2143526812'
  condition: selection_tds_id
falsepositives:
  - None expected — this is a unique operator-specific account identifier in the Parklogic TDS platform
level: high

Rule 6 — Operator TDS Landing URL Pattern — Parklogic Source-Referer Shape

Detection Priority: MEDIUM Rationale: The operator’s TDS redirector uses a consistent URL shape: /?d=<source-domain>&a=2143526812&s=<64-hex-chars>. The s= parameter is a per-source-domain campaign hash (64 hex characters). This URL pattern is specific to the operator’s Parklogic account routing and differs from Parklogic’s general URL format used by other customers. ATT&CK Coverage: T1583.008 (Acquire Infrastructure: Malvertising), T1480 (Execution Guardrails) Confidence: HIGH (URL shape directly observed in multiple operator TDS links) False Positive Risk: MEDIUM — other Parklogic customers use similar URL shapes with the d=, a=, s= parameters. The rule fires on the exact a=2143526812 value; additional tuning against the s= parameter length (64 hex chars) reduces FP risk. Set detection priority to MEDIUM for environments where Parklogic traffic is common. Deployment: Web proxy URL logs; email gateway URL pattern scanning.

title: Operator TDS Landing URL Pattern - Parklogic Source-Referer Shape with Campaign Hash
id: 3d6c9a7e-2f41-4b8d-c53e-9a1b7f3e5d28
status: test
description: >-
  Detects the URL pattern used by the CVE-2026-41940 cPanel harvester operator's Parklogic
  TDS traffic distribution system. The shape is /?d=<source-domain>&a=2143526812&s=<64-hex-chars>
  where d= is the source/referrer domain, a= is the operator's Parklogic affiliate ID
  (constant: 2143526812), and s= is a per-source-domain campaign hash (64 hex characters).
  This shape routes victims from compromised or spoof landing pages through to phishing
  destinations. The 64-char hex s= parameter distinguishes operator-controlled TDS flows
  from generic Parklogic traffic.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.command-and-control
logsource:
  category: proxy
detection:
  selection_tds_shape:
    cs-uri-query|contains|all:
      - 'a=2143526812'
      - '&s='
  selection_s_param_length:
    cs-uri-query|re: '[?&]s=[a-f0-9]{64}(&|$)'
  condition: selection_tds_shape and selection_s_param_length
falsepositives:
  - Other Parklogic customers using the same platform with different a= values (filtered by the a=2143526812 requirement)
  - Security researchers reproducing the operator's TDS chain in testing environments
level: medium

Rule 7 — Operator Phishing Payload-Fetch URL — /f/<12-hex> Path on Cloudflare-Fronted Domains

Detection Priority: MEDIUM Rationale: The operator’s phishing kit uses a consistent per-victim payload-fetch URL path: /f/<12-hex> (e.g., /f/d6aba322369c). This 12-character hex token is kit-generated and routes the victim to their specific phishing page clone. This path pattern was directly observed in the VT-reported URL https://officebyt.e56sutx.eps-soltec.cloud/f/d6aba322369c. Combined with operator-known domains, this rule provides high-confidence phishing delivery detection. ATT&CK Coverage: T1568.002 (Dynamic Resolution — kit-generated subdomain tokens), T1056.003 (Web Portal Capture) Confidence: HIGH (URL pattern directly observed in operator phishing infrastructure) False Positive Risk: MEDIUM — /f/<12-hex> paths appear in other web applications (file download handlers, CDN paths). Should be combined with operator domain list in condition or deployed as a hunt query against known-bad domains rather than as a general-traffic rule. Deployment: Web proxy URL logs against known operator domains; email gateway URL scanning; DNS-layer domain blocklist correlation.

title: Operator Phishing Kit Payload-Fetch URL - /f/[12-hex] Path Pattern
id: 9e1a5f2d-4c73-4b8f-d92e-0b5a3c7f8e64
status: test
description: >-
  Detects access to the operator's phishing kit payload-fetch URLs which follow the
  pattern /f/<12-hex-chars> on operator-controlled Cloudflare-fronted domains. This URL
  shape was directly observed in the CVE-2026-41940 cPanel harvester campaign at
  officebyt.e56sutx.eps-soltec.cloud/f/d6aba322369c and represents the per-victim
  kit-generated token used by the gen-beast-page.py phishing page generator to serve
  individualized phishing clones. The 12-character hex token distinguishes individual
  victim sessions and is generated by the operator's toolkit infrastructure.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.initial-access
  - attack.command-and-control
logsource:
  category: proxy
detection:
  selection_payload_path:
    cs-uri-stem|re: '^/f/[a-f0-9]{12}$'
  selection_operator_domains:
    cs-host|contains:
      - 'eps-soltec.cloud'
      - 'tesaco.sbs'
      - 'checkwithsec.online'
      - 'pernex.online'
      - 'supportsite.info'
      - 'adorarama.com'
      - 'gocomper.com'
      - 'coinbase-co.cc'
      - 'receita-federal.com'
      - 'runwaylander'
      - 'mailmanagement.cfd'
      - 'kwpbby.in'
      - 'mrrbno.shop'
  condition: selection_payload_path and selection_operator_domains
falsepositives:
  - Legitimate web applications on these domains using /f/ file-serve paths (these domains are confirmed operator-controlled phishing infrastructure with no known legitimate use)
  - Security researchers accessing operator phishing pages for analysis
level: high

Rule 8 — Post-WHM-Root Unauthorized SSH Key Addition on cPanel Host

Detection Priority: HIGH Rationale: After a successful CVE-2026-41940 CRLF auth bypass, the operator’s documented post-exploitation tradecraft includes adding new SSH authorized_keys entries to maintain access on compromised cPanel/WHM hosts. An addition to any ~/.ssh/authorized_keys file on a cPanel/WHM server that does not correspond to an administrator-initiated key management session is a high-confidence indicator of post-compromise persistence. ATT&CK Coverage: T1098.004 (Account Manipulation: SSH Authorized Keys), T1136.001 (Create Account: Local Account), T1505.003 (Server Software Component: Web Shell) Confidence: MODERATE (inferred from CVE mechanics and standard post-WHM-root tradecraft — not directly observed from toolkit source) False Positive Risk: MEDIUM — legitimate key management operations produce the same event. Requires correlation with: (a) absence of a corresponding authorized change-management ticket, (b) timing relative to CVE-2026-41940 exploitation attempts in web logs, or (c) source being the cPanel/WHM service account rather than a human administrator. Deployment: Linux file integrity monitoring (AIDE, Auditd, Wazuh); EDR file-event logs on cPanel/WHM hosts; Sigma-compatible SIEM with file event indexing.

title: Post-CVE-2026-41940 Exploitation - Unauthorized SSH Authorized Keys Modification on cPanel Host
id: 6a4f8e2b-1c95-4d7a-f38d-2e9b0c6a5f17
status: test
description: >-
  Detects modifications to SSH authorized_keys files on Linux cPanel/WHM hosts, which is
  a documented post-exploitation persistence technique following CVE-2026-41940 CRLF auth
  bypass. After obtaining a forged WHM-root cpsessXXXX session token, the operator's
  tradecraft includes adding SSH public keys to maintain persistent access independent of
  the cPanel credential store. This rule is most actionable when correlated with prior
  CVE-2026-41940 exploitation attempts in web access logs.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
  - https://nvd.nist.gov/vuln/detail/CVE-2026-41940
  - cve.2026.41940
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.persistence
  - attack.credential-access
  - cve.2026.41940
logsource:
  category: file_event
  product: linux
detection:
  selection_ssh_keys:
    TargetFilename|endswith: '/.ssh/authorized_keys'
  filter_admin_tools:
    Image|contains:
      - '/usr/sbin/sshd'
      - '/usr/bin/ssh-copy-id'
  condition: selection_ssh_keys and not filter_admin_tools
falsepositives:
  - Legitimate administrator key management via ssh-copy-id or direct authorized_keys editing (use change-management correlation to exclude)
  - Automated configuration management tools (Ansible, Puppet, Chef) managing SSH keys
  - CI/CD pipeline deployment keys being rotated
level: high

Rule 9 — Post-WHM-Root cPanel Account Creation Outside Admin Session

Detection Priority: HIGH Rationale: Creation of a new cPanel/WHM user account outside of a logged administrator session is a direct indicator of post-CVE-2026-41940 exploitation. The operator’s gen-cpanel-access.py (6,070 bytes, FAILED hash) is designed to generate cPanel access artifacts post-compromise. New /var/cpanel/users/<username> file creation is the canonical cPanel artifact for a newly-provisioned account. ATT&CK Coverage: T1136.001 (Create Account: Local Account), T1098 (Account Manipulation) Confidence: MODERATE (inferred from CVE mechanics and toolkit composition — gen-cpanel-access.py source not observed) False Positive Risk: MEDIUM — legitimate cPanel resellers provision new accounts. Requires correlation with absence of a corresponding customer signup event in cPanel’s reseller logs. Most actionable on WHM servers not actively onboarding new customers. Deployment: Linux file integrity monitoring; Auditd on /var/cpanel/users/; Wazuh rules watching /var/cpanel/ directory tree.

title: Post-CVE-2026-41940 Exploitation - New cPanel Account Created Outside Admin Session
id: 1b7e3f8a-5c4d-4e9b-a17c-8f2b6e4d0c39
status: test
description: >-
  Detects creation of new cPanel/WHM user account files in /var/cpanel/users/ which is a
  documented post-exploitation persistence and monetization action following CVE-2026-41940
  CRLF auth bypass. The attacker uses a forged WHM-root session token to provision new
  cPanel accounts for persistent access or to add email accounts for phishing infrastructure.
  The operator toolkit at 216.126.227.49 includes gen-cpanel-access.py (6070 bytes) which
  is inferred to generate cPanel access artifacts post-compromise.
references:
  - https://the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/
  - https://nvd.nist.gov/vuln/detail/CVE-2026-41940
  - cve.2026.41940
author: The Hunters Ledger
date: 2026/05/17
tags:
  - attack.persistence
  - attack.credential-access
  - cve.2026.41940
logsource:
  category: file_event
  product: linux
detection:
  selection_cpanel_user_create:
    TargetFilename|startswith: '/var/cpanel/users/'
    EventType: 'FileCreate'
  filter_whm_admin:
    Image|contains:
      - '/usr/local/cpanel/'
      - '/usr/local/whm/'
  condition: selection_cpanel_user_create and not filter_whm_admin
falsepositives:
  - Legitimate new customer account creation by authorized resellers (correlate against reseller activity logs and customer signup records)
  - cPanel automated processes creating internal system accounts
  - cPanel upgrades creating new system user files
level: high

Suricata Signatures

Suricata Rule 1 — CVE-2026-41940 cPanel CRLF Auth Bypass Exploitation Attempt

Detection Priority: HIGH Rationale: Detects CVE-2026-41940 exploitation attempts at the network layer. The CRLF injection occurs in the Authorization: Basic header — the rule matches null bytes, carriage returns, or line feeds embedded after the Base64 credential token. This fires before any session token is issued and is the earliest network-visible indicator of exploitation. ATT&CK Coverage: T1212 (Exploitation for Credential Access), T1190 (Exploit Public-Facing Application) Confidence: HIGH False Positive Risk: LOW — legitimate HTTP Basic authentication does not contain control characters in the credential field. Authorized pen-test scanners (Burp, Nuclei) running against cPanel will trigger. Deployment: Inline IDS/IPS with HTTP application-layer parsing in front of cPanel/WHM infrastructure; network TAP on cPanel hosting provider perimeter. The rule header uses http (application-layer keyword) with any destination port — catches exploitation on standard ports 2083/2087 and non-standard port migrations without requiring a port list.

alert http any any -> any any (
    msg:"THL CVE-2026-41940 cPanel WHM CRLF Auth Bypass Attempt - Control Char in Authorization Basic";
    flow:established,to_server;
    content:"Authorization|3a 20|Basic ";
    http_header;
    pcre:"/Authorization:\s*Basic\s+[A-Za-z0-9+\/=]*(?:\x00|\x0a|\x0d|%00|%0a|%0d|%0A|%0D)/Hi";
    reference:cve,2026-41940;
    reference:url,the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/;
    classtype:web-application-attack;
    sid:9100101; rev:1;
)

Suricata Rule 2 — Operator Flask C2 Dashboard Banner Hunt — Werkzeug/3.1.8 + /login-2fa

Detection Priority: HIGH Rationale: Matches the unique HTTP response banner of the operator’s Flask C2 dashboard. The Server: Werkzeug/3.1.8 Python/3.13.12 header combined with a Location: /login-2fa redirect identifies the operator’s harvest-tracking C2 panel. The endswith modifier on the http.server sticky buffer anchors the match to the tail of the Server header, preventing false matches from Werkzeug substrings appearing mid-string in other Server headers. ATT&CK Coverage: T1071.001 (Application Layer Protocol: Web Protocols), T1219 (Remote Access Software) Confidence: HIGH (directly observed from live passive HTTP HEAD against 216.126.227.49:8888 on 2026-05-17 13:53 UTC) False Positive Risk: LOW — the combination of this exact Werkzeug version, Python version suffix, and /login-2fa redirect path is unlikely in legitimate deployments. Internet-exposed Werkzeug on port 8888 with a 2FA login path is a strong operator indicator. Deployment: Internet-facing NDR; Zeek http.log streaming to SIEM; Suricata on monitored egress/ingress points; periodic Shodan/Censys banner-match correlation.

alert http any any -> any any (
    msg:"THL CVE-2026-41940 Operator Flask C2 Dashboard - Werkzeug/3.1.8 Banner with /login-2fa Redirect";
    flow:established,to_client;
    http.server;
    content:"Werkzeug/3.1.8 Python/3.13.12";
    endswith;
    nocase;
    http_header;
    content:"Location|3a 20|/login-2fa";
    nocase;
    reference:url,the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/;
    classtype:trojan-activity;
    sid:9100102; rev:1;
)

Suricata Rule 3 — Operator Parklogic TDS Affiliate ID in Outbound HTTP Request

Detection Priority: HIGH Rationale: Matches outbound HTTP requests containing the operator’s Parklogic TDS affiliate account ID pkAId=2143526812 in the URL. This parameter is constant across all TDS flows from this operator. Firing on this at the network perimeter allows user isolation before the phishing landing page is rendered. The rule header uses http (application-layer keyword) with any destination port — catches traffic on any port, not just port 80. ATT&CK Coverage: T1583.008 (Acquire Infrastructure: Malvertising), T1480 (Execution Guardrails — TDS rickroll filtering) Confidence: HIGH False Positive Risk: LOW — this is a unique Parklogic account identifier. No collision expected with legitimate traffic. Deployment: Perimeter firewall/IPS; NGFWs with URL inspection; network SSL-inspection proxy with category override on advertising networks.

alert http $HOME_NET any -> any any (
    msg:"THL CVE-2026-41940 Operator Parklogic TDS Affiliate ID in Outbound Request";
    flow:established,to_server;
    http.uri;
    content:"pkAId=2143526812";
    nocase;
    reference:url,the-hunters-ledger.com/reports/opendirectory-216-126-227-49-cve-2026-41940-cpanel-harvester-20260517/;
    classtype:social-engineering;
    sid:9100103; rev:1;
)

Coverage Gaps

YARA String-Pattern Detection — NOT POSSIBLE (Source Code Unrecoverable)

Gap: String-based and byte-pattern YARA rules against the operator’s 37-file Python/Bash toolkit are impossible for this campaign. The operator’s port-7777 development HTTP server (python -m http.server) was active during the open directory crawler crawl on 2026-05-12 but went offline within the following ~5 days. The open directory crawler computed SHA256 hashes in memory only — no source code was ever persisted to disk. There is no byte content to pattern-match against.

What would enable rule creation: Recovery of any toolkit file from an incident-response engagement (disk image acquisition from a compromised cPanel/WHM host, network-capture of an operator file-transfer, or a second operator open-directory exposure with persistence) would enable immediate string-based YARA. The hashes exist and can be used for exact-match rules (already authored above), but content-based rules require the source.

Workaround in this file: The YARA rule TOOLKIT_CpanelHarvester41940_KnownFiles includes a filename-string branch (2-of-7 distinctive operator filename strings together) as a forensic supplement to the hash branch. This provides limited coverage on disk images where the operator’s toolkit is present.

YARA for HTA Payloads on 216.126.224.181 — Not Authored (Low-MODERATE Operator Attribution)

Gap: Five commodity-malware hashes from the .181 IP (Urcbadur/Alien InfoStealer via CVE-2017-0199; ADKP HTA dropper) were recovered from VirusTotal. These have significant detection coverage (8–34 of 76 engines). YARA rules are not authored here for two reasons:

1. The .181 April 2026 activity is LOW-MODERATE operator attribution — the most parsimonious explanation is a different RouterHosting tenant after the primary operator vacated the IP.
2. The commodity families already have AV signatures with wide coverage; authoring new rules for them provides minimal incremental detection value.

What would enable rule creation: Evidence confirming the same operator controlled .181 during the April 2026 commodity-malware activity (e.g., WHOIS/infrastructure overlap with the operator’s confirmed org-ID locks, or the same machine-id 6e3644a97f844763a34565b865d35310 appearing in a .181 artifact) would justify authoring operator-attribution YARA for these samples.

cPanel/WHM Audit Log Sigma — Platform-Specific, Not Authored

Gap: Several high-value detection patterns target cPanel-native audit logs (/var/cpanel/accounting.log, /var/cpanel/users/ creation events, email-forwarding rule changes). These require a product: cpanel Sigma logsource category that is not a standard SigmaHQ-supported category. Platform-specific Sigma rules cannot be submitted to the SigmaHQ upstream repository without custom logsource backend support.

Rules that would be valuable:

• New email-forwarding rule created on a cPanel-hosted mailbox (T1114.003 — Email Forwarding Rule)
• /var/cpanel/accounting.log showing account creation outside logged administrator session (T1136.001)
• New .php or .cgi file in ~/public_html/ outside normal deploy window (T1505.003)

What would enable rule creation: Addition of a cpanel product backend to SigmaHQ (or deployment in a SIEM with a custom log-source mapping for cPanel audit logs).

Suricata for CVE-2026-41940 on Cloudflare-Fronted cPanel (TLS Inspection Gap)

Gap: The operator’s newer phishing domains (eps-soltec.cloud, tesaco.sbs) route through Cloudflare. A network-layer Suricata rule for CVE-2026-41940 exploitation attempts will not fire when the attacker targets a Cloudflare-fronted cPanel endpoint — the TLS terminates at Cloudflare, and the upstream authorization header is re-constructed by Cloudflare before forwarding to the origin cPanel server. Only rules deployed at the cPanel origin server (not the perimeter IDS) will see the raw header content.

Mitigation path: Deploy Suricata (or equivalent) as a local listener on the cPanel/WHM server itself, or use cPanel’s built-in ModSecurity WAF with the relevant OWASP/CVE rule set.

Werkzeug C2 Banner — Version-Specific Decay

Gap: The Suricata rule THL CVE-2026-41940 Operator Flask C2 Dashboard - Werkzeug/3.1.8 Banner will stop matching if the operator updates Werkzeug (e.g., to 3.1.9 or 3.2.x) or promotes the dashboard behind nginx/gunicorn (which would suppress the Werkzeug Server header entirely). The /login-2fa redirect path is more durable but could be renamed in a toolkit update.

Hunting supplement: Run a periodic Shodan/Censys query for http.server:"Werkzeug" combined with a 302 redirect to any path containing login-2fa — this gives version-agnostic peer-C2 discovery beyond what the rule catches in live traffic.

beast-notify.py Notification Channel — Unknown

Gap: The operator’s beast-notify.py (3,960 bytes, SHA256 32b9b9a82913dae5e40842f68791cc639fe690603ccc1d85fe1ae2e99b7bf26b) dispatches per-compromise notifications to an operator-controlled channel. The channel type is unknown (Telegram, Discord webhook, email, or custom HTTPS endpoint). Without source code, no network-layer Suricata rule can be written for the notification channel.

What would enable rule creation: Source recovery of beast-notify.py from an IR engagement would reveal the notification endpoint URL, bot token prefix (if Telegram), or webhook URL format (if Discord) — enabling a targeted Suricata rule for the exfiltration/notification channel.

Operator Scanning Behavior — Linux-Side Process Detection Not Covered

Gap: The operator runs mass_v[4-8].py, masscan-boost.sh, and similar scanning tools from their own Linux box. No Sigma rules are authored for victim-side or defender-side detection of these scanning tools because:

1. The scans originate from operator-controlled infrastructure (AS14956 RouterHosting), not from compromised victim hosts.
2. Defender visibility into the operator’s own process execution requires access to the operator’s system, which is not a normal defender vantage point.

What would enable rule creation: Network-based detection of the scanning behavior is already partially covered by the Suricata C2 and TDS rules. Full coverage would require the operator’s process creation logs — available only via law enforcement or a honeypot that entices the operator to execute on a monitored system.

License

Detection rules are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.