TroyDen AI Lures & Mr_Rot13 cPanel Backdoors: OTX Pulse Analysis — Enterprise Detection Pack

Recent OTX pulse data reveals a convergence of sophisticated credential theft campaigns targeting both end-users and infrastructure. The "TroyDen" threat actor has operationalized an AI-assisted lure factory on GitHub, using obfuscated biological taxonomy to deliver LuaJIT-based payloads (Redline, Lumma) to developers and gamers. Concurrently, the elusive "Mr_Rot13" group is actively exploiting CVE-2026-41940, a critical cPanel authentication bypass, to plant SSH backdoors and webshells on government and defense servers. This is compounded by the emergence of "Remus," a 64-bit evolution of the Lumma Stealer now utilizing EtherHiding for C2 communication. Collectively, these actors demonstrate a shift toward complex initial access vectors involving supply chain compromise (GitHub) and critical infrastructure exploitation (cPanel) to deploy persistent infostealers.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

• Malware Families: LuaJIT, Redline, LummaStealer.
• Distribution Method: Over 300 GitHub repositories using AI-generated names (biological/medical terms) to lure developers and crypto users.
• Payload Behavior: Two-component design utilizing LuaJIT for execution and loading secondary payloads. Focuses on credential theft and browser data extraction.
• C2 Communication: Direct IP communication to hardcoded infrastructure.
• Anti-Analysis: Uses Prometheus obfuscator to hide LuaJIT code.

Mr_Rot13

• Malware Families: Filemanager, Cpanel-Python (Go-based).
• Distribution Method: Exploitation of CVE-2026-41940 in cPanel & WHM.
• Payload Behavior: Deploys a Go-based installer that injects SSH keys for persistence, drops PHP webshells, and installs malicious JavaScript for credential harvesting.
• Persistence Mechanism: SSH key injection, webshell placement on compromised servers.
• Targeting: Government, Defense, and Southeast Asian entities.

Remus (Lumma Stealer 64-bit)

• Malware Families: Lumma Stealer, Tenzor, Remus.
• Distribution Method: Continuation of Lumma operations, shifting from Steam/Telegram dead drops to EtherHiding.
• Payload Behavior: 64-bit infostealer with enhanced anti-analysis checks and application-bound encryption bypass capabilities.
• C2 Communication: Blockchain-based resolution via EtherHiding.

IOC Analysis

The provided indicators encompass a range of infrastructure and artifacts:

• IPv4 Addresses: C2 nodes associated with the TroyDen operation (e.g., 89.169.12.241). These should be blocked immediately at perimeter firewalls.
• Domains: Used for C2 and payload resolution by the Remus/Lumma variant (e.g., forestoaker.com) and Mr_Rot13 (e.g., wrned.com).
• CVE: CVE-2026-41940 indicates a specific vulnerability requiring patch validation on cPanel instances.
• File Hashes (MD5/SHA256): Fingerprints for the Go-based payload installers and the 64-bit Remus stealer binary.

Operationalization: SOC teams should ingest these IOCs into their EDR and SIEM solutions. Use TIPs to correlate these hashes with internal execution logs. Network logs should be queried for connections to the listed IP ranges and domains.

Detection Engineering

---
title: Potential TroyDen Malware Activity - LuaJIT Execution
id: 7a8b9c0d-1234-5678-9abc-1a2b3c4d5e6f
status: experimental
description: Detects the execution of LuaJIT which is used by the TroyDen threat actor to load infostealers like Lumma and Redline.
author: Security Arsenal
date: 2026/05/12
references:
    - https://otx.alienvault.com/pulse/...
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\lua51.dll'
        CommandLine|contains: '-e'
    condition: selection
falsepositives:
    - Legitimate developer usage of LuaJIT
level: high
---
title: Mr_Rot13 cPanel Backdoor Persistence via SSH Keys
id: 8b9c0d1e-2345-6789-abcd-2b3c4d5e6f7a
status: experimental
description: Detects modification of SSH authorized_keys files by web server processes, indicative of cPanel exploitation (CVE-2026-41940) by Mr_Rot13.
author: Security Arsenal
date: 2026/05/12
references:
    - https://otx.alienvault.com/pulse/...
tags:
    - attack.persistence
    - attack.t1098
logsource:
    category: file_event
    product: linux
detection:
    selection:
        TargetFilename|contains: '/.ssh/authorized_keys'
        Image|endswith:
            - '/httpd'
            - '/nginx'
            - '/cpsrvd'
    condition: selection
falsepositives:
    - Administrative automation scripts
level: critical
---
title: Lumma Stealer Remus Variant - C2 Traffic
id: 9c0d1e2f-3456-7890-bcde-3c4d5e6f7a8b
status: experimental
description: Detects network connections to known domains associated with the Remus (Lumma 64-bit) infostealer variant.
author: Security Arsenal
date: 2026/05/12
references:
    - https://otx.alienvault.com/pulse/...
tags:
    - attack.exfiltration
    - attack.c2
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'vinte.online'
            - 'coox.live'
            - 'remnane.biz'
    condition: selection
falsepositives:
    - Unknown
level: high


kql
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "wrned.com", "wpsock.com") or RemoteIP in~ ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort


powershell
# Hunt for TroyDen and Lumma Remus Artifacts
$IOC_Hashes = @(
    "02a5990b11293236e01f174f5999df20",
    "22613c952459e65ce09fb6b5c1c03d47",
    "2286f126ab4740ccf2595ad1fa0c615c",
    "29222f5e73dd10088fcf1204aa21f87f",
    "2de27ca8d97124adaf604b18161a441e",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d"
)

Write-Host "Scanning for Malicious File Hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        $IOC_Hashes -contains $hash
    } | 
    Select-Object FullName, Length

Write-Host "Checking for Suspicious Network Connections..."
Get-NetTCPConnection -State Established | 
    Where-Object { 
        $remoteAddress = $_.RemoteAddress 
        $badIPs = @("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118")
        $badIPs -contains $remoteAddress 
    } | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

Response Priorities

Immediate:

• Block all listed IP addresses and domains at network perimeter firewalls and proxies.
• Scan web servers for signs of CVE-2026-41940 exploitation and check ~/.ssh/authorized_keys for unknown entries.
• Initiate hunts for LuaJIT execution on developer workstations.

24h:

• If credential-theft malware (Redline/Lumma) is suspected, enforce forced password resets and MFA re-enrollment for affected accounts.
• Review GitHub repository access logs for downloads from suspicious repositories associated with TroyDen.

1 week:

• Patch all cPanel instances to address CVE-2026-41940.
• Implement stricter code-signing policies or application whitelisting for developer environments to prevent execution of unauthorized Lua binaries.
• Conduct a review of external-facing web applications for credential harvesting JavaScript injections.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub