Back to Intelligence

TroyDen & Mr_Rot13: AI-Generated Lures, LuaJIT Infostealers, and cPanel Backdoors — OTX Pulse Analysis

SA
Security Arsenal Team
May 12, 2026
5 min read

Recent OTX pulses highlight a convergence of sophisticated social engineering and critical infrastructure exploitation. The TroyDen threat actor is actively conducting a large-scale campaign utilizing AI-generated lure names based on obscure biological taxonomy to distribute LuaJIT-based infostealers (Redline, Lumma) via GitHub, specifically targeting developers and gamers. Concurrently, the elusive Mr_Rot13 group has been exploiting CVE-2026-41940, a critical authentication bypass in cPanel, to deliver Filemanager RAT and SSH backdoors to government and defense entities. Additionally, the Lumma Stealer ecosystem continues to evolve with the emergence of Remus, a 64-bit variant leveraging EtherHiding (blockchain-based C2) to evade takedowns. Collectively, these campaigns prioritize credential theft, persistent access to Linux servers, and evasion of traditional network defenses.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware Families: LuaJIT, Redline, LummaStealer.
  • Distribution Method: GitHub repositories hosting over 300 delivery packages with AI-generated medical/taxonomy filenames.
  • Payload Behavior: Two-component design utilizing LuaJIT for execution; employs Prometheus Obfuscator.
  • Persistence: Standard infostealer persistence (scheduled tasks, startup folders) focusing on browser credential harvesting.

Mr_Rot13

  • Malware Families: Filemanager, Cpanel-Python.
  • Distribution Method: Exploitation of CVE-2026-41940 (cPanel auth bypass) and WordPress targeting.
  • Payload Behavior: Deploys a Go-based installer that plants SSH keys, PHP webshells, and JavaScript for credential harvesting.
  • C2 Communication: Utilizes specific domains for C2 and Telegram for exfiltration.

Lumma Stealer (Remus Variant)

  • Malware Families: Remus, Lumma Stealer, AuraStealer.
  • Distribution Method: Shifted from Steam/Telegram resolvers to EtherHiding (using blockchain transactions to hide C2 IPs).
  • Anti-Analysis: New 64-bit architecture support with enhanced anti-analysis checks.

IOC Analysis

The provided IOCs span multiple vectors requiring distinct operational responses:

  • IPv4 Addresses: 9 IPs associated with TroyDen C2 infrastructure (e.g., 89.169.12.241, 213.176.73.80). These should be blocked at the perimeter and firewalls.
  • Domains: Includes C2 domains for Mr_Rot13 (wrned.com, wpsock.com) and Lumma Remus (forestoaker.com, krondez.com). These often leverage specific TLDs (.pics, .online) used for dead drops or C2.
  • CVE Identifier: CVE-2026-41940 is the critical vector for Mr_Rot13. Immediate patching of cPanel instances is mandatory.
  • File Hashes: Multiple MD5 hashes for Mr_Rot13 payloads and a SHA256 for the Remus variant. These are high-fidelity indicators for host-based scanning.

SOC teams should upload these hashes to EDR solutions for threat hunting and block the listed domains via DNS Sinkholing (RPZ). The use of EtherHiding by Lumma suggests that domains may resolve dynamically, necessitating heuristic network detection alongside static IOCs.

Detection Engineering

Sigma Rules

YAML
---
title: Potential TroyDen LuaJIT Execution via GitHub Lure
id: 8a3f1c22-6b8d-4a3e-9f12-1a2b3c4d5e6f
description: Detects execution of LuaJIT processes potentially spawned by TroyDen AI-generated lures targeting developers.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000000
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\wluajit.exe'
            - '\lua51.dll'
        ParentImage|contains:
            - '\GitHubDesktop'
            - '\git.exe'
            - '\chrome.exe'
            - '\firefox.exe'
    condition: selection
falsepositives:
    - Legitimate developer usage of LuaJIT
level: high
---
title: Mr_Rot13 cPanel Exploitation and Filemanager RAT
id: 9b4g2d33-7c9e-5b4f-0g23-2b3c4d5e6f0a
description: Detects suspicious process activity indicative of Mr_Rot13 exploiting cPanel or deploying Filemanager RAT.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000001
logsource:
    category: process_creation
    product: linux
detection:
    selection_cpanel:
        Image|contains:
            - '/usr/local/cpanel/'
            - '/cpanel-python'
        CommandLine|contains:
            - 'wget'
            - 'curl'
            - 'chmod +x'
    selection_webshell:
        Image|endswith:
            - '/php'
            - '/python3'
        CommandLine|contains:
            - 'eval'
            - 'base64_decode'
            - 'shell_exec'
    condition: 1 of selection*
falsepositives:
    - Legitimate cPanel administration scripts
level: critical
---
title: Lumma Stealer Remus Variant EtherHiding Activity
id: 0c5h3e44-8d0f-6c5g-1h34-3c4d5e6f0b1c
description: Detects network connections to domains associated with Lumma Remus variant and EtherHiding infrastructure.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - '.pics'
            - '.online'
            - '.biz'
            - '.live'
        Initiated: 'true'
    filter_legit:
        DestinationHostname|contains:
            - 'microsoft.com'
            - 'google.com'
            - 'apple.com'
    condition: selection and not filter_legit
falsepositives:
    - Generic web browsing to ad trackers
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TroyDen and Mr_Rot13 Network Indicators
let IoC_IPs = dynamic(["89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118"]);
let IoC_Domains = dynamic(["wrned.com", "wpsock.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics"]);
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, ActionType
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunts for file artifacts associated with Mr_Rot13 and Lumma Remus.
.DESCRIPTION
    Scans specific directories for known malicious file hashes and suspicious filenames.
#>

$TargetHashes = @(
    "02a5990b11293236e01f174f5999df20", # Mr_Rot13 MD5
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d" # Lumma Remus SHA256
)

$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "[+] Starting artifact hunt for TroyDen/Lumma and Mr_Rot13..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "[?] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {
            !$_.PSIsContainer -and $_.Length -gt 0kb -and $_.Length -lt 10mb
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
            # Fallback heuristic for AI generated lures (bio terms) check logic would go here
            if ($_.Name -match "\.(exe|ps1|bat)$") {
                # Simple heuristic check for obscure medical terms in filenames often used by TroyDen
                if ($_.Name -match "(pathology|anatomy|mycology|taxonomy)") {
                    Write-Host "[!] SUSPICIOUS FILENAME (Heuristic): $($_.FullName)" -ForegroundColor Yellow
                }
            }
        }
    }
}
Write-Host "[+] Scan complete." -ForegroundColor Cyan

Response Priorities

  • Immediate: Block all listed IPv4 addresses and Domains at the firewall and proxy. Initiate emergency patching for CVE-2026-41940 on all cPanel/WHM servers.
  • 24h: Conduct a credential audit for developers and gamers in the environment; rotate API keys and GitHub tokens if compromise is suspected. Hunt for LuaJIT execution logs.
  • 1 week: Implement application control to block unsigned binaries and restrict execution of LuaJIT in developer environments. Review cPanel access logs for evidence of exploitation prior to patching.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealertroydenmr-rot13cpanel-exploitinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action