Unveiling the Weaponized Web Shell EncystPHP

    Thursday, January 29, 2026 In: Threat Research Print

    Date: 01/29/2026

    Severity: High

    Summary

    Labs identified a web shell dubbed “EncystPHP” with advanced capabilities such as remote command execution, persistence, and web shell deployment. The attacks began in early December last year and spread through exploitation of the FreePBX vulnerability CVE-2025-64328. The activity is linked to the hacker group INJ3CTOR3, first observed in 2020 targeting CVE-2019-19006. In 2022, the group shifted focus to Elastix systems by exploiting CVE-2021-45461. Overall, this campaign reflects recent attack activity consistent with known INJ3CTOR3 tactics and behavior.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://45.234.176.202/new/c

    http://45.234.176.202/new/k.php

    IP Address : 

    45.234.176.202

    187.108.1.130

    Hash : 

    71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302

    7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574

    fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2

    285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2

    29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://45.234.176.202/new/c" or url like "http://45.234.176.202/new/c" or siteurl like "http://45.234.176.202/new/c" or domainname like "http://45.234.176.202/new/k.php" or url like "http://45.234.176.202/new/k.php" or siteurl like "http://45.234.176.202/new/k.php"

    Detection Query 2 :

    dstipaddress IN ("45.234.176.202","187.108.1.130") or srcipaddress IN ("45.234.176.202","187.108.1.130")

    Detection Query 3 :

    sha256hash IN ("71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302","7e3a47e3c6b82eb02f6f1e4be6b8de4762194868a8de8fc9103302af7915c574","fc514c45fa8e3a49f003eae4e0c8b6a523409b8341503b529c85ffe396bb74f2","285fac34a5ffdac7cb047d412862e1ca5e091e70c0ac0383b71159fdd0d20bb2","29d74963f99563e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7")

    Reference: 

    https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp


    Tags

    CVE-2021CVE-2019ExploitThreat ActorVulnerabilityCVE-2025

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.