TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks

[email protected] (The Hacker News) · 2 days ago · Read original ↗

ATT&CK techniques detected

4 predictions
T1190Exploit Public-Facing Application
97%
“critical cpanel vulnerability weaponized to target government and msp networks a previously unknown threat actor has been observed targeting government and military entities in southeast asia, alongside a smaller cluster of managed service providers ( msps ) and hosting providers…”
T1190Exploit Public-Facing Application
90%
“persistent access to internal victim networks. " the actor built a durable access layer using openvpn, ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of chinese railway - sector documents, " ctrl - alt …”
T1190Exploit Public-Facing Application
81%
“. in addition, ctrl - alt - intel revealed that the threat actor used a separate custom exploit chain for an indonesian defense sector training portal prior to the cpanel attacks, employing a combination of authenticated sql injection and remote code execution. in this case, the …”
T1584.008Network Devices
33%
“persistent access to internal victim networks. " the actor built a durable access layer using openvpn, ligolo, systemd persistence, and then used that access to pivot into an internal network and exfiltrate a substantial corpus of chinese railway - sector documents, " ctrl - alt …”

Summary

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the