Back to Intelligence

TroyDen, Famous Chollima & Mr_Rot13 Campaigns: GitHub/npm Supply Chain & cPanel Exploitation Detection Pack

SA
Security Arsenal Team
May 13, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated supply chain attacks and critical infrastructure exploitation. Three distinct threat clusters—TroyDen, FAMOUS CHOLLIMA (North Korean APT), and Mr_Rot13—are actively leveraging trust in developer ecosystems (GitHub, npm) and unpatched management interfaces (cPanel).

The collective objective of these campaigns is the establishment of persistent access and credential theft. TroyDen and FAMOUS CHOLLIMA focus on the software supply chain, using AI-generated lures and typosquatting packages to deliver LuaJIT-based infostealers (LummaStealer, Redline, OtterCookie). Meanwhile, Mr_Rot13 is exploiting a critical cPanel vulnerability (CVE-2026-41940) to weaponize Linux servers with SSH backdoors and webshells, targeting Government and Defense sectors.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware Families: LuaJIT, Redline, LummaStealer.
  • Distribution: GitHub repositories using AI-generated biological taxonomy names to entice developers and gamers. Uses a two-component payload structure.
  • Behavior: Credential theft, data exfiltration.
  • Anti-Analysis: Uses Prometheus obfuscator.

FAMOUS CHOLLIMA

  • Malware Families: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.
  • Distribution: Malicious npm packages (e.g., typosquats of big.js). Uses a "two-layer" strategy: benign wrapper packages that pull malicious dependencies.
  • Behavior: Infostealing (cookies, passwords), establishing SSH backdoors.
  • C2: Reported usage of Vercel for C2 infrastructure.

Mr_Rot13

  • Malware Families: Filemanager (RAT), Cpanel-Python.
  • Distribution: Exploitation of CVE-2026-41940 (cPanel Authentication Bypass).
  • Persistence: SSH key injection, PHP webshells.
  • Targeting: Government, Defense, and Southeast Asia entities.
  • Exfiltration: Telegram API.

IOC Analysis

The provided indicators cover infrastructure and payload artifacts:

  • IPv4 Addresses (TroyDen): 8 specific IPs (e.g., 89.169.12.241, 213.176.73.80) serving as C2 or download servers.
  • Domains (Mr_Rot13): wrned.com, wpsock.com associated with C2 or payload delivery.
  • CVE: CVE-2026-41940 (cPanel).
  • File Hashes (MD5): 5 specific hashes for the Mr_Rot13 Go-based payload installer.

Operational Guidance: SOC teams should immediately block the listed IPs and Domains at the firewall/proxy level. The MD5 hashes should be added to EDR exclusion allow-lists for investigation purposes and blocked in DLP solutions. CVE-2026-41940 requires immediate patching on all cPanel instances.

Detection Engineering

YAML
---
title: Potential TroyDen LuaJIT Infostealer Execution
id: 5e8a9c1b-2d3f-4a5e-8b9c-1d2e3f4a5b6c
description: Detects execution of LuaJIT binaries often used by TroyDen to deliver LummaStealer or Redline, specifically from download directories or via obfuscated chains.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a2f1b2c0e8e1e3b4c5d6
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\luajit.exe'
            - '\wluajit.exe'
            - '\lua51.dll'
    condition: selection
falsepositives:
    - Legitimate developer usage of LuaJIT
level: high
---
title: Suspicious NPM Child Process - OtterCookie/Famous Chollima
id: 6f9b0d2c-3e4g-5h6i-0j1k-2l3m4n5o6p7q
description: Detects npm or node.exe spawning a shell (cmd or powershell), a common behavior in malicious npm packages like OtterCookie to execute post-install scripts.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a2f1b2c0e8e1e3b4c5d7
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\node.exe'
            - '\npm.cmd'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate build scripts
level: medium
---
title: Linux SSH Authorized Keys Modification - Mr_Rot13 Persistence
id: 7g0c1e3d-4f5h-6i7j-8k9l-0m1n2o3p4q5r
description: Detects modification of authorized_keys files on Linux, indicative of SSH backdoor persistence used by Mr_Rot13 following cPanel exploitation.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a2f1b2c0e8e1e3b4c5d8
tags:
    - attack.persistence
    - attack.t1098.004
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name: '/home/*/.ssh/authorized_keys'
    selection_perm:
        type: 'SYSCALL'
        syscall: 'openat'
        exit: '-EACCES'
    condition: selection
falsepositives:
    - Legitimate user key management
level: high


kql
// Hunt for TroyDen C2 IPs and Mr_Rot13 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP has_any ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118") 
   or RemoteUrl has_any ("wrned.com", "wpsock.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc


powershell
# Mr_Rot13 Payload Hunt Script
# Checks for specific MD5 hashes associated with the Go-based installer

$targetHashes = @( 
    "02a5990b11293236e01f174f5999df20",
    "22613c952459e65ce09fb6b5c1c03d47",
    "2286f126ab4740ccf2595ad1fa0c615c",
    "29222f5e73dd10088fcf1204aa21f87f",
    "2de27ca8d97124adaf604b18161a441e"
)

Write-Host "Scanning for Mr_Rot13 Payload Hashes..." -ForegroundColor Yellow

$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($drive in $drives) {
    Write-Host "Scanning $drive..." -ForegroundColor Cyan
    Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue -File | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10MB } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) {
            Write-Host "[!] MALWARE DETECTED: $($_.FullName)" -ForegroundColor Red
        }
    }
}
Write-Host "Scan Complete." -ForegroundColor Green

Response Priorities

Immediate (0-24h):

  • Block IOCs: Add all TroyDen IPv4s and Mr_Rot13 domains to network blocklists.
  • Patch: Identify and patch all cPanel instances against CVE-2026-41940 immediately.
  • Hunt: Run the PowerShell script on endpoints to check for Mr_Rot13 payloads.

24 Hours:

  • Credential Reset: If developer or admin workstations show signs of compromise (TroyDen/FAMOUS CHOLLIMA), force reset of all credentials (GitHub, npm, internal systems).
  • Audit: Review npm and GitHub package usage in CI/CD pipelines for the malicious packages mentioned.

1 Week:

  • Architecture: Implement stricter code review policies for open-source dependencies (Software Composition Analysis).
  • Segmentation: Ensure cPanel management interfaces are not accessible from the internet or restricted to specific IP ranges.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsupply-chain-attackinfostealercpanel-exploitationapt-campaignnpm-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action