TroyDen GitHub Lures, Mr_Rot13 cPanel Exploits & Remus Lumma Stealer: OTX Pulse Analysis

OTX pulses have identified three concurrent high-risk campaigns targeting distinct sectors. The TroyDen group is actively weaponizing GitHub repositories using AI-generated biological taxonomy to distribute LuaJIT-based infostealers (Redline, Lumma) to developers and gamers. Separately, a stealthy actor tracked as Mr_Rot13 is exploiting a critical cPanel vulnerability (CVE-2026-41940) to deploy persistent backdoors on government and defense servers. Finally, the Lumma Stealer ecosystem has evolved with the Remus variant, a 64-bit infostealer utilizing "EtherHiding" for C2 communication to evade takedowns.

Collectively, these threats emphasize a shift toward supply chain compromise (GitHub), infrastructure exploitation (cPanel), and resilient C2 mechanisms (Blockchain).

Threat Actor / Malware Profile

TroyDen (Lure Factory)

Malware: LuaJIT, Redline, LummaStealer
Distribution: Over 300 GitHub repositories with AI-generated medical/biological names.
Payload Behavior: Two-component design; uses Prometheus obfuscator; steals credentials and crypto data.
Persistence: N/A (Primarily initial access and execution).

Mr_Rot13

Malware: Filemanager RAT, Cpanel-Python
Distribution: Exploitation of CVE-2026-41940 (cPanel Authentication Bypass).
Payload Behavior: Deploys Go-based installer; injects SSH keys; drops PHP webshells and malicious JavaScript for credential harvesting.
Persistence: SSH key injection, webshells within CMS directories (WordPress).

Remus (Lumma Stealer Variant)

Malware: Lumma Stealer (64-bit), Tenzor
Distribution: Replaced Steam/Telegram resolvers with EtherHiding.
Payload Behavior: Steals browser data, crypto wallets; uses application-bound encryption bypasses.
C2 Communication: Blockchain-based (EtherHiding) using smart contract transaction data for resolver lookup.

IOC Analysis

The provided indicators include:

IPv4 Addresses: 8 specific IPs associated with TroyDen C2 infrastructure (e.g., 89.169.12.241).
Domains: 7 domains for Remus/Lumma C2 (e.g., forestoaker.com) and 2 for Mr_Rot13 C2 (e.g., wrned.com).
File Hashes: 5 MD5 hashes for Mr_Rot13 payloads and 1 SHA256 for the Remus variant.
CVE: CVE-2026-41940.

Operational Guidance: SOC teams should immediately block the listed TroyDen IPs at the firewall/proxy level. Domains associated with Mr_Rot13 and Remus should be sinkholed. The file hashes must be loaded into EDR solutions for quarantine. Given Mr_Rot13's use of CVE-2026-41940, vulnerability scanning for cPanel instances is critical.

Detection Engineering

Sigma Rules

YAML

---
title: Potential TroyDen GitHub Lure Execution
description: Detects execution of LuaJIT binaries often associated with TroyDen lures or unusual child processes from development tools.
id: 4b2b4a1c-8f2e-4a3b-9c1d-2e5f6a7b8c9d
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\luajit.exe'
      - '\lua51.exe'
    ParentImage|contains:
      - '\GitHubDesktop.exe'
      - '\git.exe'
  condition: selection
falsepositives:
  - Legitimate developer usage of LuaJIT
level: high
tags:
  - attack.execution
  - attack.t1204
---
title: Mr_Rot13 cPanel Exploitation and Webshell
description: Detects the creation of suspicious PHP files or the modification of cPanel binaries indicative of CVE-2026-41940 exploitation.
id: 5c3c5b2d-9g3f-5b4c-0d2e-3f6g7b8c9d0e
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  product: linux
  service: auditd
detection:
  selection_cpanel:
    executable|endswith: '/cpanel'
    argv|contains: '--setup-whm-account' # Exploitation often triggers specific setup flows
  selection_webshell:
    path|contains:
      - '/public_html/'
      - '/wp-content/'
    filetype: 'php'
    name|contains:
      - 'core.php'
      - 'func.php'
  condition: 1 of selection*
falsepositives:
  - Legitimate cPanel administration
  - Legitimate plugin updates
level: critical
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2026-41940
---
title: Remus Lumma Stealer C2 Traffic
description: Detects network connections to known domains associated with Remus/Lumma Stealer or infostealer C2 infrastructure.
id: 6d4d6c3e-0h4g-6c5d-1e3f-4g7h8c9d0e1f
status: experimental
date: 2026/05/12
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection_domains:
    DestinationHostname|contains:
      - 'forestoaker.com'
      - 'krondez.com'
      - 'baxe.pics'
      - 'vinte.online'
      - 'coox.live'
      - 'remnane.biz'
      - 'parky.pics'
  condition: selection_domains
falsepositives:
  - Rare (Known bad domains)
level: critical
tags:
  - attack.command_and_control
  - attack.t1071

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TroyDen and Mr_Rot13 Network IOCs
let TroyDenIPs = dynamic(["89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118"]);
let ActorDomains = dynamic(["wrned.com", "wpsock.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics"]);
DeviceNetworkEvents
| where RemoteIP in (TroyDenIPs) or RemoteUrl has_any (ActorDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend ThreatActor = iff(RemoteIP in (TroyDenIPs), "TroyDen", "Mr_Rot13/Remus")

PowerShell Hunt Script

PowerShell

# IOC Hunt for TroyDen (LuaJIT) and Remus (File Presence)
$MD5Hashes_MR_Rot13 = @(
    "02a5990b11293236e01f174f5999df20",
    "22613c952459e65ce09fb6b5c1c03d47",
    "2286f126ab4740ccf2595ad1fa0c615c",
    "29222f5e73dd10088fcf1204aa21f87f",
    "2de27ca8d97124adaf604b18161a441e"
)
$SHA256_Remus = "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d"

Write-Host "[+] Scanning for Mr_Rot13 and Remus Payloads..."

# Get files recursively from common temp/appdata paths
$PathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($MD5Hashes_MR_Rot13 -contains $FileHash) {
                Write-Host "[!] ALERT: Mr_Rot13 Payload Found: $($_.FullName)" -ForegroundColor Red
            }
            $FileHashSHA = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($FileHashSHA -eq $SHA256_Remus) {
                Write-Host "[!] ALERT: Remus (Lumma) Payload Found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Scan Complete."

Response Priorities

Immediate

Block IOCs: Implement immediate blocks on the 8 TroyDen IPv4 addresses and 9 listed domains at the perimeter and DNS layers.
Patch Management: Identify and patch any cPanel instances vulnerable to CVE-2026-41940 immediately.
Quarantine: Use the provided MD5 and SHA256 hashes to scan endpoints and isolate infected hosts.

24 Hours

Credential Reset: If Lumma Stealer or Redline infections are confirmed (TroyDen/Remus), force password resets for developer and privileged accounts.
SSH Audit: For Linux servers compromised by Mr_Rot13, audit ~/.ssh/authorized_keys for unauthorized entries.

1 Week

GitHub Policy: Review and restrict the execution of binaries downloaded from unverified GitHub repositories within the development environment.
Architecture Hardening: Implement application allowlisting (e.g., AppLocker) to prevent the execution of unsigned LuaJIT or Go-based payloads in user directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub