Cyber Threat Brief — May 4 2026
⚠️ This report is AI-generated. Always validate findings.
1. cPanel Auth Bypass Escalates — “Sorry” Ransomware + SE Asia Military Targeting — CVE-2026-41940
TL;DR: Two distinct exploitation tracks emerged for CVE-2026-41940: mass “Sorry” ransomware deployment encrypting cPanel-hosted sites with a Go-based Linux encryptor, and a targeted campaign from 95.111.250[.]175 hitting Philippine/Lao military and government domains with custom exploit chains.
What’s New:
- BleepingComputer confirmed mass “Sorry” ransomware attacks deploying a Go-based ELF encryptor that appends
.sorryextension, persists at/usr/bin/.system_cache, and dropsREADME.mdransom notes with Tox ID for contact - Ctrl-Alt-Intel identified a separate targeted campaign from
95.111.250[.]175exploiting CVE-2026-41940 against*.mil.ph,*.gov.la, and MSP domains in Philippines, Laos, Canada, South Africa, and US - Same actor developed a custom authenticated SQLi-to-RCE chain against an Indonesian defence-sector training portal
- Attacker staging server exposed: OpenVPN C2 on
95.111.250[.]175:1194/UDP, Ligolo pivoting for persistent internal access - 4.37GB exfiltrated from China Railway Society Electrification Committee including PRC national IDs and bank details (110 files, 2020–2024)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
/usr/bin/.system_cache (ELF binary, 964KB) | Persistence binary | T1059.004 | FIM / auditd / EDR | Hunt for this path; hash and block |
.sorry file extension on encrypted files | Ransomware artifact | T1486 | FIM / file integrity | Alert on mass .sorry extension writes |
README.md ransom note per directory | Ransom note | T1486 | FIM | Canary file monitoring for ransom note drops |
Tox ID 3D7889AEC00F2325E1A3FBC0ACA4E521670497F11E47FDE13EADE8FED3144B5EB56D6B198724 | Threat actor contact | — | — | Intel enrichment |
95.111.250[.]175 | Attacker IP | T1071 | Firewall / proxy / IDS | Block and hunt in connection logs |
95.111.250[.]175:1194/UDP | OpenVPN C2 | T1572 | NetFlow / firewall | Block; hunt for OpenVPN connections to this endpoint |
Session files under /var/cpanel/sessions/raw/ with user=root, hasroot=1, tfa_verified=1, or multiple pass= lines | Auth bypass IOC | T1078 | Host forensics | Audit all cPanel session files for injection artifacts |
401→200 pattern on /login/?login_only=1 with Authorization: Basic on non-login URL | Exploitation signature | T1190 | cpsrvd access logs | Build log correlation rule for this request sequence |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No cPanel CRLF injection or Sorry ransomware rules; build correlation for 401→200 login bypass pattern in cpsrvd logs |
| Elastic | None | No .sorry file extension or cPanel session injection detection |
| Sigma | None | No rules for cPanel session file manipulation or Go-based Linux encryptor persistence at /usr/bin/.system_cache |
Sources: BleepingComputer · Ctrl-Alt-Intel · The Hacker News · watchTowr Labs
Status Updates
- CVE-2026-31431 (Linux Kernel — Copy Fail): Neo23x0 YARA signature (
expl_copy_fail_cve_2026_31431.yar) now in signature-base for detecting PoC artifacts; CISA KEV federal deadline May 15. Original brief. - CVE-2026-32202 (Windows Shell): Federal deadline May 12 in 8 days; APT28 exploitation ongoing; no new artifacts. Original brief.
- CVE-2024-1708/1709 (ScreenConnect): Federal deadline May 12; Storm-1175/Kimsuky campaigns active. Original brief.
- SHADOW-EARTH-053 (ShadowPad + Godzilla): No new artifacts since yesterday’s initial coverage; hunt guidance in yesterday’s brief.
- CVE-2026-3854 (GitHub Enterprise Server): 88% GHES instances still unpatched per Wiz; no new exploitation data. Original brief.