Sophisticated FreePBX Attack Campaign Deploys Persistent "EncystPHP" Webshell A financially motivated hacker group, INJ3CTOR3, has launched a targeted attack campaign exploiting CVE-2025-64328, a critical post-authentication command-injection vulnerability in FreePBX’s Endpoint Manager. The campaign, active since early December 2025, deploys EncystPHP, a highly evasive webshell granting attackers full administrative control over compromised VoIP and PBX systems. ### Exploitation & Attack Chain The vulnerability, tracked in the Filestore component’s check_ssh_connect() function, allows authenticated attackers to execute arbitrary commands as the asterisk user. Attack traffic originated from Brazil, targeting cloud-based VoIP environments managed by an Indian technology firm. Threat actors downloaded the EncystPHP dropper from 45[.]234[.]176[.]202, a server masquerading as a VoIP management portal (crm[.]razatelefonia[.]pro). The malware redirects victims to a secondary dropper (k.php) before deploying the webshell. ### EncystPHP Capabilities & Persistence The webshell, disguised as ajax.php, employs MD5-hashed authentication and an interactive "Ask Master" interface for remote command execution. Key features include: - Multi-stage persistence: Cron jobs, redundant droppers in /var/www/html/, and forged timestamps to evade detection. - Privilege escalation: Creates a root-level "newfpbx" account, resets user passwords, and injects SSH keys for backdoor access. - Evasion techniques: Modifies file permissions, disables error logging, and removes competing malware. - Telephony abuse: Enumerates SIP peers, Asterisk channels, and initiates unauthorized calls for toll fraud. ### Attribution & Historical Context INJ3CTOR3, active since 2020, has a history of targeting VoIP systems for financial gain. Previous campaigns exploited: - CVE-2019-19006 (FreePBX, 2020) - CVE-2021-45461 (Elastix, 2022) ### Indicators of Compromise (IoCs) - C2 Infrastructure: `45[.]234[.]176[.]202`, `187[.]108[.]1[.]130`, `crm[.]razatelefonia[.]pro` - Webshell Hashes: - `71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302` (EncystPHP) - `7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574` (Dropper) - File Paths: `/var/www/html/admin/views/ajax.php`, `/var/www/html/rest_phones/ajax.php` - Detection Signatures: `PHP/EncystPHP.A!tr`, `IPS Signature 59448` The attack underscores the persistent targeting of VoIP infrastructure for monetization, with unpatched FreePBX systems at high risk of full compromise.