I downloaded that cpanel remote exploit program you mentioned, it's 6 months old.
How do you know for sure they got in using that program?
I didn't try to connect to my server with it, but I really doubt that this software was developed for a new exploit as it is 6 months old already.
It seems more like a general cpanel port scanner and execute command tool. Maybe they got in through another hole (not a specific CPanel hole) and just used this software to execute commands?
CPanel 5 did have a remote exploit bug, but that's a while ago.