My CPanel server was recently hacked most possibly caused by the latest CPanel/WHM RCE vulnerability. The hacker then installed an xmrig miner using docker. I analysed it and found out the wallet used by the hacker is 4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL with supportxmr being the mining pool. i checked it out and its making over 100MH/s. Insane.

https://preview.redd.it/bah82dr3z70h1.png?width=1918&format=png&auto=webp&s=b18d7d1b91867bd0db93b678c17d1d1aff3957d9

So I just caught some weird activity on one of my cPanel/WHM boxes that looks like a live exploit of that recent auth bypass CVE. The attacker gained root, created a backdoor user named "pakchoi" (GID 0), and dropped a miner that I traced to a wallet (4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL) which just skyrocketed from 2 MH/s to 27 MH/s on SupportXMR in minutes. There's no way that hashrate is coming from just a few VPS instances; it's almost certain they're using compromised servers as a beachhead to scrape AWS, GCP, and K8s tokens to pivot into massive cloud clusters. Their C2 listener at 144.172.116.48:8080 already shows over 11,600 successful "loot" ingestions—we're talking 760MB+ of stolen plaintext credentials. The miner itself hides as a fake "php-fpm" process if Docker isn't there, and between the name "pakchoi," the Bitbucket uploader "Ensiklopedia muslimin," and workers named "ngintil" (Indonesian slang for trailing), this is clearly an Indonesian-based op. If you're running WHM, check for that user and any /tmp/.e* directories immediately, because this is a massive credential harvesting campaign, not just a simple miner.

So I just caught some weird activity on one of my cPanel/WHM boxes that looks like a live exploit of that recent auth bypass CVE. The attacker gained root, created a backdoor user named "pakchoi" (GID 0), and dropped a miner that I traced to a wallet (4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL) which just skyrocketed from 2 MH/s to 27 MH/s on SupportXMR in minutes. There's no way that hashrate is coming from just a few VPS instances; it's almost certain they're using compromised servers as a beachhead to scrape AWS, GCP, and K8s tokens to pivot into massive cloud clusters. Their C2 listener at 144.172.116.48:8080 already shows over 11,600 successful "loot" ingestions—we're talking 760MB+ of stolen plaintext credentials. The miner itself hides as a fake "php-fpm" process if Docker isn't there, and between the name "pakchoi," the Bitbucket uploader "Ensiklopedia muslimin," and workers named "ngintil" (Indonesian slang for trailing), this is clearly an Indonesian-based op. If you're running WHM, check for that user and any /tmp/.e* directories immediately, because this is a massive credential harvesting campaign, not just a simple miner.

I just found something very weird. I have a cPanel/WHM server that was compromised via the latest CVE (likely the cpsrvd auth bypass). The attacker dropped an XMR miner and created a new backdoor user with root-level privileges (GID 0) called "pakchoi".

I analyzed the Docker image they used to deploy the miner and found this Monero address: 4AypWi9xNQvSy11FT5yr7Ajnyz2XuoUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL

At the time of this writing, I checked the hashrate on SupportXMR and saw it jump from around 2 MH/s to a staggering 27 MH/s in just a few minutes. How is this even possible from just hacking cPanel servers? My theory is that they aren't just mining on the VPS itself—they are using the server to steal high-value cloud credentials to pivot into much larger environments.

What I discovered:

1. The "Shotgun" Script: The attacker uses a massive post-exploitation script that targets everything. It specifically scrapes for:
   • AWS, GCP, and Azure credentials.
   • Kubernetes (K8s) tokens and kubeconfig files.
   • SSH private keys and history files.
   • Environment (.env) files containing DB passwords.
2. The C2 Infrastructure: Data is exfiltrated to http://144.172.116.48:8080.
   • Probing the /health endpoint of this listener revealed over 11,643 successful "loot" ingestions.
   • The attacker has already harvested over 760MB of plaintext credentials from victims.
3. The Miner: They try to use a Docker image negoroo/amco:123. If Docker isn't installed, they drop a standalone binary disguised as "php-fpm" or "kworker" to blend in with legitimate processes.

My Theory: Indonesian Origin?

I strongly suspect the threat actor is Indonesian based on several cultural and linguistic "fingerprints" left in the attack:

• The User "pakchoi": Pakchoi (Bok Choy) is an incredibly common vegetable in Indonesia.
• The Payload Source: The script is hosted on Bitbucket (https://bitbucket.org/gakoqweee/asdasdasd/downloads/) under the uploader name "Ensiklopedia muslimin" (Muslim Encyclopedia).
• The Worker Names: On SupportXMR, the worker is named "ngintil". In Javanese/Indonesian, "ngintil" is slang for "clinging to," "following closely," or "tagging along".

The jump to 27 MH/s suggests they have successfully used stolen K8s/Cloud tokens to spin up massive mining clusters. If you are running cPanel/WHM, check for the "pakchoi" user and the /tmp/.e* directories immediately.

Has anyone else run into this specific actor?

https://preview.redd.it/cwzsfjtn9yzg1.png?width=1912&format=png&auto=webp&s=b93550d8022d0ff5bb0163f1bfbd49f517384078