Unveiling the Weaponized Web Shell EncystPHP
Essential information
- Published
- 28/01/2026 18:26
- Modified
- 28/01/2026 22:47
- Tags
- 2026-01-28 CVE-2025-64328 command injection encystphp evasion freepbx persistence telephony web shell
- Related entities
- 3 vulnerabilities (cve), 5 observables, 1 intrusion sets (apt), 15 techniques (mitre), 1 malware, 5 others
Description
A sophisticated web shell named EncystPHP has been discovered, targeting FreePBX systems through the CVE-2025-64328 vulnerability. Associated with the hacker group INJ3CTOR3, this malware exhibits advanced capabilities including remote command execution, persistence mechanisms, and web shell deployment. The attack originated from Brazil, targeting an Indian technology company. EncystPHP employs various techniques to maintain persistence, including creating cron jobs, injecting SSH keys, and deploying multiple instances of itself. It also attempts to evade detection by deleting logs and masquerading as legitimate FreePBX files. The malware's impact includes full system compromise, unauthorized administrative access, and potential abuse of telephony resources. Organizations are advised to treat any successful exploitation as a critical incident requiring immediate remediation and security hardening.