A financially motivated threat actor tracked as INJ3CTOR3 has been observed exploiting CVE-2025-64328, a post-authentication command-injection flaw in the FreePBX Endpoint Manager administrative interface, to deploy a persistent PHP web shell dubbed EncystPHP. The activity began in early December 2025 and enables attackers to execute arbitrary commands (as the asterisk user) and progress to full administrative control of compromised VoIP environments, supporting follow-on abuse such as unauthorized call generation and toll fraud.
FortiGuard Labs reported the campaign’s infrastructure and delivery chain, including downloads of an EncystPHP dropper from 45[.]234[.]176[.]202 (domain crm[.]razatelefonia[.]pro), a site masquerading as a VoIP management portal with a login page; requests to the new/ path reportedly redirect to an additional dropper (k.php). The observed exploitation traffic originated from Brazil and targeted an environment managed by an Indian technology services provider; affected versions were reported as FreePBX Endpoint Manager v17.0.2.36 through v17.0.3, and the web shell was described as “weaponized,” with remote command execution and persistence mechanisms. Reporting also links the activity to INJ3CTOR3’s historical pattern of targeting VoIP platforms, including prior exploitation of CVE-2019-19006 (FreePBX) and CVE-2021-45461 (Elastix).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-04-13, SANS Internet Storm Center reported active probing for the EncystPHP web shell via GET requests to /admin/modules/phones/ajax.php using the hard-coded md5 access string documented by Fortinet. The activity originated from 160.119.76.250 and also included FreePBX exploit attempts downloading a payload from 45.95.147.178, with warning that some payloads add multiple backdoor accounts on compromised systems.
On 2026-01-28, FortiGuard Labs published research on the high-severity campaign, detailing exploitation of CVE-2025-64328, the EncystPHP web shell, and associated infrastructure and detections. The report attributed the activity to patterns associated with the INJ3CTOR3 threat actor, previously linked to attacks on VoIP infrastructure and earlier vulnerabilities.
During the campaign, EncystPHP set up cron-based re-download and reinstallation, placed redundant web shells under /var/www/html/, created a root-level local account named newfpbx with UID 0, added an SSH public key, and ensured SSH port 22 remained open. It also deleted logs, forged timestamps, removed the Endpoint Manager module, disabled error reporting, and deleted competing web shells to evade detection and maintain long-term access.
After exploitation, the attackers used droppers such as "c" and "k.php" from infrastructure including 45.234.176.202 (crm.razatelefonia.pro) to install a Base64-encoded PHP web shell dubbed EncystPHP. The malware masqueraded as legitimate FreePBX files such as ajax.php and enabled remote command execution and operator access through an "Ask Master" interface.
In early December 2025, attackers began exploiting the post-authentication command-injection flaw CVE-2025-64328 in the FreePBX Endpoint Manager administrative interface. The activity targeted vulnerable FreePBX versions including v17.0.2.36 through v17.0.3 to gain shell access on VoIP/PBX systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
isc.sans.edu
Open sourcecybersecuritynews.com
Open sourcefeeds.fortinet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.