IOC Radar
SHA256MediumSignal 99/100

cfaac437326ccd27a643359ea0be48c34f88d0b98e8309524f9341f6953a7b88

First Seen
May 11, 2026
Last Seen
Jun 7, 2026
May 11
First Seen
53d ago
Jun 7
Last Seen
26d ago
9
Reports
source reports
99%
Confidence
medium
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-256 Hash
SHA-256 file hash — primary identifier for malware samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA256
Confidence
99%
Signal Score
99 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

11 techniques

Feed Intelligence Summary

9 reports99% confidence
9
Source reports
99%
Confidence score
Category tags
abuse_ch_hashadministrationbackdoorbackdoor/ratbad reputationbotnetbotnet activitybrute forcechecks-hostnamecpanel exploitationcpanel-pythoncredential harvestingcredential stuffingcredential theftdata exfiltrationdata store exposuredata theftdefensedetect-debug-environmentelfexecutable fileexploitation activityfilefile-hashfilemanager ratidentity & access exploitationindicatorinfectorjs codelinuxmalwaremrrot13opencti_label ssh keyspayloadphpphp backdoorransomwareresearchedself-deletesmica83southeast asiassh backdoorsuspt1005t1027t1041t1056.003t1059.004t1070_003t1071.001t1098t1098.004t1119t1140t1190tokentor nodevulnerability scanwebshellwordpress targetingyara

Activity Timeline

1 total obs
Jun 7Jun 7

Threat Activity Heatmap

· Peak: 2026-06-07
Less
More
Mon
Wed
Fri
Jun
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
99
SIGNAL
Signal Score
99%
Confidence
9
Reports
First seenMay 11, 2026
Last seenJun 7, 2026

VirusTotal

Not checked

WHOIS

description
SHA256 of 29222f5e73dd10088fcf1204aa21f87f
references
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment_cn/, IOCs.csv, https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 month ago · Last seen 26 days ago
Appeared in 9 threat reports