SYMBOLCOMMON_NAMEaka. SYNONYMS

Mr_Rot13  (Back to overview)


Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020. They utilize the Rot13 algorithm for obfuscation and have demonstrated a low detection rate across security products, indicating advanced operational security. Their activities include exploiting CVE-2026-41940 to deliver malicious payloads and maintaining covert communication via Telegram. The group has shown a particular focus on WordPress as a target, with ongoing operations that suggest a sophisticated threat actor rather than opportunistic attackers.


Associated Families

There are currently no families associated with this actor.


References
2026-05-11QianxinQiAnXin XLab Team
Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment
Mr_Rot13

Credits: MISP Project