Unveiling the Weaponized Web Shell EncystPHP www.fortinet.com/blog/thre…
FortiGuard Labs has discovered a web shell that we named “EncystPHP.” It features several advanced capabilities, including remote command execution, persistence mechanisms, and web shell deployment. Incidents were launched in early December last year and propagated via exploitation of the FreePBX vulnerability CVE-2025-64328.
Its malicious activity appears to be associated with the hacker group INJ3CTOR3, first identified in 2020, which targeted CVE-2019-19006. In 2022, the threat actor shifted its focus to the Elastix system via CVE-2021-45461. These incidents begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments. We assess that this campaign represents recent attack activity and behavior patterns associated with INJ3CTOR3.
