PHPsert
PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
PHPsert can use Base64-encoded values in C2 communications.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
PHPsert has the ability to decode and decrypt obfuscated strings prior to execution.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
PHPsert can use multiple obfuscation techniques including XOR encoding, hexadecimal character representation, string concatenation, and randomized variable names.[1] |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
PHPsert can use the .php assert function to execute attacker-provided code and maintain persistence on targeted web servers.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0061 | Operation Digital Eye |
During Operation Digital Eye, threat actors deployed PHPsert to execution and to maintain access.[1] |