Massive XMR Mining Operation Discovered on Compromised cPanel Servers; Attacker Exploited Auth Bypass CVE, Staged Credential Harvester Targeting Cloud Infrastructure

Security researchers are tracking an active cryptojacking campaign that has compromised cPanel/WHM servers by exploiting a recent authentication bypass vulnerability. The attacker gained root-level access and established persistence through a backdoor account named "pakchoi" with root group (GID 0) privileges, using it to deploy a Monero (XMR) miner that reached 27 MH/s on the SupportXMR pool—a hashrate that significantly exceeds what a handful of VPS instances alone would generate.

The mining wallet (4AypWi9xNQvSy11FT5yr7Ajnyz2XUD7LGEJw4ZTRUHLrWjH1x5KoZUp9FTS4s9a5Y6Q7d4jSze4E6tq64aJTD2L7hnCrL) reportedly spiked from 2 MH/s to 27 MH/s within minutes, raising concerns that the operation leverages compromised servers as beachheads to aggregate computational power across a botnet. Indicators point to a broader credential-harvesting operation: the command-and-control listener at 144.172.116.48:8080 has logged over 11,600 successful "loot" ingestions, encompassing more than 760MB of stolen plaintext credentials. The malware itself employs simple but effective evasion—disguising itself as "php-fpm" when Docker is absent from the host environment.

The campaign's naming conventions and infrastructure suggest a threat actor with specific operational patterns. The backdoor username "pakchoi" and a Bitbucket uploader tagged "Ensiklopedia muslimin" have drawn attention from investigators tracking the campaign's origin and scope. Organizations running cPanel/WHM instances are advised to audit for unauthorized root accounts, review authentication logs for the relevant CVE, and monitor for unusual outbound connections to port 8080. The targeting of cloud service tokens (AWS, GCP, Kubernetes) indicates the actor may be pivoting from initial server compromise toward large-scale cloud infrastructure exploitation.