Reporting highlights two separate developments: growing criminal adoption of Vshell, a Go-based command-and-control framework originally promoted in Chinese-speaking offensive security communities as a lower-cost alternative to Cobalt Strike. Research cited in the reporting describes Vshell’s evolution from a basic RAT into a more capable post-compromise platform supporting Windows and Linux administration, traffic tunneling/relay, pivoting, and lateral movement; internet scanning also identified exposed Vshell management panels with large numbers of connected agents (e.g., a recovered panel showing 286 active clients), indicating real-world operational use.
Separately, the Shadowserver Foundation reported that 900+ Sangoma FreePBX instances remain infected with web shells following exploitation of CVE-2025-64328 (CVSS 8.6), a post-authentication command-injection flaw affecting FreePBX versions >= 17.0.2.36 and fixed in 17.0.3. The issue has been added to CISA’s KEV catalog amid active exploitation, and Fortinet linked exploitation beginning in December 2025 to the INJ3CTOR3 cyber-fraud operation delivering an EncystPHP web shell; recommended mitigations include restricting access to the FreePBX Admin Control Panel (ACP) and updating affected components (including the filestore module).

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Censys found numerous exposed Vshell deployments on the internet, including management panels showing hundreds of connected agents and broadly distributed listener infrastructure. The findings highlighted growing operational use of Vshell and its increasing visibility across attacker-controlled systems.
The Shadowserver Foundation reported that more than 900 Sangoma FreePBX instances remained compromised with web shells as of late February 2026. The largest number of infected systems was in the United States, with additional victims in Brazil, Canada, Germany, and France.
Fortinet FortiGuard Labs attributed exploitation of CVE-2025-64328 to the INJ3CTOR3 cyber fraud operation. The activity involved deployment of the EncystPHP web shell, which can execute elevated commands and initiate outbound calls through compromised PBX systems.
CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities catalog after observing active exploitation in the wild. This formalized the vulnerability's status as an actively exploited security issue.
During 2025, Vshell was identified in several threat campaigns, including Operation DRAGONCLONE, the SNOWLIGHT campaign attributed to UNC5174, and an August 2025 phishing operation. These sightings indicated the framework had moved beyond opportunistic use into broader threat actor adoption.
Sangoma addressed CVE-2025-64328 in FreePBX version 17.0.3. The issue affected version 17.0.2.36 and later, and mitigation guidance included hardening access to the Administrator Control Panel and updating the filestore module.
Attackers began exploiting CVE-2025-64328 against Sangoma FreePBX instances in December 2025, leading to widespread web shell compromises. The flaw is a high-severity post-authentication command injection vulnerability that enables arbitrary shell command execution.
Vshell, a Go-based command-and-control framework, first appeared in 2021 in Chinese-speaking offensive security circles. It began as a basic remote access tool and later evolved into a more capable intrusion framework.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.