Skip to content

Hide Navigation Hide TOC

PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442)

PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.(Citation: sentinelone operationDigitalEye Dec 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern PHPsert - S9028 (9491a623-5861-4d0a-9958-8c05d0d17442) Malware 1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 2