Mr_Rot13

Also known as: Mr_Rot13

Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020. They utilize the Rot13 algorithm for obfuscation and have demonstrated a low detection rate across security products, indicating advanced operational security. Their activities include exploiting CVE-2026-41940 to deliver malicious payloads and maintaining covert communication via Telegram. The group has shown a particular focus on WordPress as a target, with ongoing operations that suggest a sophisticated threat actor rather than opportunistic attackers.

Introduction

Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020. They utilize the Rot13 algorithm for obfuscation and have demonstrated a low detection rate across security products, indicating advanced operational security. Their activities include exploiting CVE-2026-41940 to deliver malicious payloads and maintaining covert communication via Telegram. The group has shown a particular focus on WordPress as a target, with ongoing operations that suggest a sophisticated threat actor rather than opportunistic attackers.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Backdoor.Oldrea:
  • Hacking Team UEFI Rootkit:
  • Xploit:
  • CrossRat:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.