Back to Intelligence

TroyDen AI-Generated Lures & Mr_Rot13 cPanel Backdoors: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 12, 2026
5 min read

Recent OTX pulses indicate a coordinated surge in credential theft and initial access vectors targeting developers and enterprise infrastructure. The "TroyDen" threat actor is leveraging AI-generated lure names to distribute LuaJIT-based infostealers (Redline, Lumma) via GitHub, specifically targeting gamers and crypto users. Simultaneously, a supply chain attack involving malicious NuGet packages (impersonating Chinese UI libraries) is deploying Quantum and Lumma stealers.

On the infrastructure front, the elusive "Mr_Rot13" group is actively exploiting the critical CVE-2026-41940 cPanel vulnerability to deploy SSH backdoors and webshells on Linux servers. Additionally, a multi-stage AutoIt loader leading to Vidar Stealer has been observed using file masquerading techniques (.dot to .bat). Collectively, these campaigns aim to harvest browser credentials, cryptocurrency wallets, and SSH keys for initial access and ransomware deployment (The Gentleman Ransomware).

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware: LuaJIT, Redline, LummaStealer.
  • Distribution: Over 300 GitHub repositories using AI-generated biological taxonomy names.
  • Behavior: Two-component payload; targets developers and Roblox gamers.
  • C2: Direct IP communication (observed IPs: 89.169.12.241, 213.176.73.80).

Mr_Rot13

  • Malware: Filemanager RAT, Cpanel-Python.
  • Distribution: Exploitation of CVE-2026-41940 in cPanel & WHM.
  • Behavior: Plants SSH keys and PHP webshells; targets Government and Defense sectors in Southeast Asia.
  • Persistence: Cross-platform backdoors via SSH.

Vidar Stealer / AutoIt Loader

  • Malware: Vidar, Arkei.
  • Distribution: Masqueraded "MicrosoftToolkit.exe" hack tools.
  • Technique: Renames .dot files to .bat to evade detection; terminates security processes.

IOC Analysis

The provided IOCs include:

  • IPv4 Addresses: Hardcoded C2 IPs associated with the TroyDen infrastructure (e.g., 94.156.154.6). These should be blocked immediately at the perimeter.
  • Domains: Typosquatted NuGet-related domains (e.g., dns-providersa2.com) and C2 infrastructure (e.g., g8way.io).
  • File Hashes: Numerous SHA256 and MD5 hashes for malicious .NET payloads, AutoIt loaders, and MSI installers.
  • CVEs: CVE-2026-41940 (cPanel Auth Bypass) and CVE-2025-55182 (associated with EtherRat).

SOC teams should operationalize these by loading hashes into EDR quarantine policies and blocking domains/ IPs in firewall and proxy logs. Tools like VirusTotal or Hybrid Analysis can be used for detailed payload decoding.

Detection Engineering

Sigma Rules

YAML
title: Potential TroyDen GitHub Lure Execution via LuaJIT
id: 89a21b3c-6e4d-4f9b-9e1a-123456789012
description: Detects execution of LuaJIT processes often used by TroyDen campaigns, specifically spawning from Git-related directories or unusual parent processes.
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\luajit.exe'
      - '\lua52.exe'
    ParentImage|contains:
      - '\GitHub Desktop'
      - '\git-'
  filter_legit_dev:
    CommandLine|contains:
      - 'test'
      - 'build'
  condition: selection and not filter_legit_dev
falsepositives:
  - Legitimate developer usage of Lua
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: Malicious NuGet Package Installation Supply Chain
id: b72e9c4d-5f8a-3a1b-0c2d-987654321098
description: Detects the installation of NuGet packages from suspicious accounts or impersonating Chinese UI libraries, followed by network connections to known C2 domains.
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_nuget:
    Image|endswith:
      - '\nuget.exe'
      - '\dotnet.exe'
    CommandLine|contains:
      - 'install'
      - 'add package'
  selection_suspicious_names:
    CommandLine|contains:
      - 'bmrxntfj' # Known malicious actor account from pulse
  condition: selection_nuget and selection_suspicious_names
falsepositives:
  - Legitimate package restores
level: critical
tags:
  - attack.initial_access
  - attack.t1195.002
---
title: AutoIt Masquerading as Batch or Office Files
id: c1f3a5b8-7d4e-2a9c-1e4f-112233445566
description: Detects AutoIt interpreter executing files with mismatched extensions (e.g., .bat or .doc), a technique used by the Vidar Stealer loader.
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_autoit:
    Image|endswith:
      - '\autoit3.exe'
      - '\aut2exe.exe'
  selection_masquerade:
    CommandLine|contains:
      - '.bat'
      - '.doc'
      - '.dot'
  condition: selection_autoit and selection_masquerade
falsepositives:
  - Low
level: high
tags:
  - attack.defense_evasion
  - attack.t1036.005

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TroyDen C2 IPs and NuGet Domains
let IOCs = pack_array("89.169.12.241", "213.176.73.80", "dns-providersa2.com", "g8way.io", "wrned.com");
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt for TroyDen, Vidar, and Mr_Rot13 artifacts
$Hashes = @(
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "7ac9278876c83c9b597fae68acb6fbf9", # Vidar AutoIt MD5
    "02a5990b11293236e01f174f5999df20"  # Mr_Rot13 MD5
)

$IPs = @("89.169.12.241","213.176.73.80","217.119.129.76")

Write-Host "Checking for active network connections to known C2 IPs..."
Get-NetTCPConnection | Where-Object {$IPs -contains $_.RemoteAddress} | Select-Object LocalPort, RemoteAddress, State, OwningProcess

Write-Host "Scanning common download/appdata directories for malicious file hashes..."
$Paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP")
foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 0} | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) - Hash: $Hash" -ForegroundColor Red
            }
        }
    }
}


# Response Priorities

*   **Immediate:** Block all listed IPv4 addresses and domains at the firewall and proxy. Scan endpoints for the provided file hashes.
*   **24 Hours:** Audit all installed NuGet packages for versions associated with the account `bmrxntfj`. If credential-thealing malware is confirmed, force password resets for sensitive accounts and rotate SSH keys on Linux servers.
*   **1 Week:** Patch cPanel instances to address CVE-2026-41940. Review and restrict the use of GitHub repositories within the developer environment to vetted sources only.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealercpanel-exploitationai-generated-luressupply-chain-attackvidar-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action