Back to Intelligence

TroyDen, Mr_Rot13 & Lumma Remus: AI-Generated GitHub Lures, cPanel Exploits, and Stealer Evolution

SA
Security Arsenal Team
May 12, 2026
5 min read

Recent OTX pulses indicate a convergence of sophisticated delivery mechanisms and legacy exploitation techniques aimed at credential harvesting. The threat landscape is dominated by two distinct but high-impact campaigns:

  1. TroyDen's "Lure Factory": A mass-campaign leveraging AI-generated biological taxonomy to mask malicious packages on GitHub. This campaign distributes LuaJIT-wrapped payloads of Redline and LummaStealer, specifically targeting developers and gamers. The use of AI allows for rapid generation of unique, benign-sounding repository names to bypass reputation-based filtering.

  2. Mr_Rot13's cPanel Campaigns: An elusive threat actor active for six years is exploiting a critical authentication bypass (CVE-2026-41940) in cPanel. This campaign targets government and defense sectors in Southeast Asia, deploying Go-based installers that establish SSH backdoors and webshells for long-term persistence.

  3. Lumma Stealer (Remus Variant): Following the takedown of core Lumma infrastructure, a 64-bit variant named "Remus" has emerged utilizing "EtherHiding"—using the blockchain for C2 communication—to evade traditional network detection.

Collective Objective: Credential theft (browser cookies, crypto wallets, SSH keys) and establishing persistent access on Linux and Windows endpoints.

Threat Actor / Malware Profile

TroyDen

  • Malware Families: LuaJIT, Redline, LummaStealer.
  • Distribution: Supply chain attack via GitHub repositories. Uses AI to generate package names based on obscure biological/medical terms.
  • Payload Behavior: Two-component design. Initial downloader retrieves the LuaJIT-based infostealer.
  • C2 Communication: Standard HTTP/HTTPS to hardcoded IP infrastructure.

Mr_Rot13

  • Malware Families: Filemanager (RAT), Cpanel-Python (Go-based).
  • Distribution: Exploitation of CVE-2026-41940 (cPanel Authentication Bypass).
  • Payload Behavior: Drops malicious JavaScript for credential harvesting, plants authorized SSH keys, and deploys PHP webshells.
  • Persistence: SSH keys and scheduled tasks/systemd services on Linux.

Remus (Lumma Stealer v2)

  • Malware Families: Lumma Stealer (64-bit).
  • Distribution: Likely延续续 previous Lumma vectors (Steam cracks, fake browsers) but enhanced with EtherHiding.
  • Payload Behavior: 64-bit infostealer capable of bypassing Application-Bound Encryption.
  • C2 Communication: EtherHiding (Blockchain-based C2) and fallback to standard domains.

IOC Analysis

The provided IOCs include:

  • IPv4 Addresses (TroyDen): C2 servers for the LuaJIT/Redline payload. High confidence of malicious intent.
  • Domains (Mr_Rot13 & Remus): Used for C2 communication, payload delivery, and potentially Telegram exfiltration endpoints.
  • CVE-2026-41940: A critical vulnerability identifier specific to cPanel.
  • File Hashes (MD5/SHA256): Known malicious samples for the Go-based installer (Mr_Rot13) and the Remus stealer.

Operationalization:

  • SOC/EDR: Block the listed IPs and Domains immediately at the firewall and proxy.
  • Vulnerability Management: Scan for cPanel instances vulnerable to CVE-2026-41940.
  • Threat Hunting: Use the file hashes to hunt for dropped payloads in temp directories or user downloads.

Detection Engineering

YAML
date: 2026/05/13
description: Detects execution of LuaJIT often associated with TroyDen Redline/Lumma delivery
detection:
  selection:
    Image|endswith:
      - '\luajit.exe'
      - '\luajit'
    ParentImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\python.exe'
  condition: selection
falsepositives:
  - Legitimate developer use of LuaJIT
level: high
status: stable
tags:
  - attack.execution
  - attack.t1059.001
---
date: 2026/05/13
description: Detects potential cPanel exploitation via webshell creation or modification associated with Mr_Rot13
detection:
  selection_file:
    TargetFilename|contains:
      - '/public_html/'
      - '/www/'
    Image|endswith:
      - '/httpd'
      - '/apache2'
  selection_keyword:
    TargetFilename|contains:
      - 'config.php'
      - 'index.php.bak'
  condition: 1 of selection_*
falsepositives:
  - Legitimate web admin activity
level: high
status: stable
tags:
  - attack.persistence
  - attack.t1505.003
---
date: 2026/05/13
description: Detects network connections to Remus/Lumma C2 domains and EtherHiding infrastructure
detection:
  selection_ip:
    DestinationIp|contains:
      - '89.169.12.241'
      - '213.176.73'
      - '217.119.129'
  selection_domain:
    DestinationHostname|endswith:
      - 'forestoaker.com'
      - 'krondez.com'
      - 'baxe.pics'
      - 'vinte.online'
      - 'coox.live'
      - 'remnane.biz'
      - 'parky.pics'
  condition: 1 of selection_
falsepositives:
  - Rare, unless network allows access to specific sinkholes
level: critical
status: stable
tags:
  - attack.command_and_control
  - attack.t1071.001


kql// Hunt for TroyDen and Remus C2 Traffic
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP has_any ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118")
    or RemoteUrl has_any ("forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics", "wrned.com", "wpsock.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort

// Hunt for Mr_Rot13 File Hashes on Linux/Windows endpoints
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("b037fa1dd769891b538d9ca26131890c93e3458eec965354bdebe50d04a5b3d")
   or MD5 has_any ("02a5990b11293236e01f174f5999df20", "22613c952459e65ce09fb6b5c1c03d47", "2286f126ab4740ccf2595ad1fa0c615c", "29222f5e73dd10088fcf1204aa21f87f", "2de27ca8d97124adaf604b18161a441e")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName


powershell# IOC Hunter for TroyDen and Remus
# Checks for the presence of specific file hashes and network connections

$MaliciousSHA256 = @(
    "b037fa1dd769891b538d9ca26131890c93e3458eec965354bdebe50d04a5b3d"
)

$MaliciousDomains = @(
    "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", 
    "coox.live", "remnane.biz", "parky.pics", "wrned.com", "wpsock.com"
)

Write-Host "[*] Hunting for Remus/Lumma File Artifacts..."

# Scan user download directories and temp folders
$PathsToScan = @("C:\Users\*\Downloads\", "C:\Windows\Temp\", "C:\ProgramData\")

foreach ($path in $PathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousSHA256 -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Checking DNS Cache for C2 Domains..."
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DnsCache) {
    foreach ($entry in $DnsCache) {
        if ($MaliciousDomains -contains $entry.Name) {
            Write-Host "[!] SUSPICIOUS DNS ENTRY: $($entry.Name) -> $($entry.Data)" -ForegroundColor Yellow
        }
    }
}

Write-Host "[*] Hunt Complete."


# Response Priorities

**Immediate (0-24 hours):**
*   **Block Indicators:** Implement immediate blocks on all listed IPs and Domains at perimeter firewalls and proxies.
*   **Patch CVE-2026-41940:** Identify and patch all cPanel instances immediately. Restrict cPanel access to VPN-only if patching is delayed.
*   **Hunt for Webshells:** Scan web servers (specifically `/public_html` and `/wp-content`) for recently modified PHP files matching the Mr_Rot13 profile.

**24-48 hours:**
*   **Credential Audit:** Given the prevalence of Redline and Lumma, force password resets for privileged accounts (DevOps, SysAdmins) and rotate SSH keys on Linux servers compromised by Mr_Rot13.
*   **GitHub Supply Chain Audit:** Audit developer workstations for cloned repositories matching the TroyDen AI-lure pattern (obscure biological names).

**1 Week:**
*   **Architecture Hardening:** Implement Application Boundaries (AppLocker) to prevent execution of LuaJIT binaries from user profile directories.
*   **Network Segmentation:** Ensure cPanel management interfaces are not accessible from the public internet.
*   **Developer Training:** Educate development teams on the risks of downloading unverified packages from GitHub.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealertroydenmr-rot13infostealercpanel-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action