S9028: PHPsert
PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.[1]
Analyst context for executives and security teams
PHPsert matters because it is a PHP web shell that MITRE describes as being embedded into web content such as text editors and content management systems rather than typically deployed as a standalone file. For leaders, the practical risk is persistent access through exposed web-facing management or content platforms, especially on network-device-adjacent web services, where normal web traffic can make malicious activity hard to distinguish without the right logs and file integrity evidence.
Executive priority
Prioritize validation of externally reachable PHP-enabled web content, CMS/editor components, and network device management surfaces. The business question is whether the organization can prove that web-facing administrative content has not been modified, that suspicious HTTP/S activity would be investigated quickly, and that incident responders can collect web server, network, and file evidence before it is overwritten. This is relevant to resilience, audit evidence, and incident decision-making because ATT&CK links PHPsert to web shell persistence, web-protocol C2, ingress tool transfer, and encoding/obfuscation behaviors.
Technical view
SOC and IR teams should treat PHPsert as a web shell behavior pattern on Network Devices, with relationship-driven attention to T1505.003 Web Shell, T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1132.001 Standard Encoding, T1027.013 Encrypted/Encoded File, and T1140 Deobfuscate/Decode Files or Information. Because MITRE provides no official detection text, teams should validate coverage around unexpected PHP code in web content, modified CMS/editor files, encoded parameters or payloads in HTTP/S requests, unusual outbound web traffic from web-hosting or management components, and post-compromise file transfer activity. Relationship context also notes use in Operation Digital Eye, but local detections should be behavior-based rather than attribution-led.
Likely telemetry
- Web server access logs and error logs for PHP-enabled applications or management interfaces
- File integrity monitoring or configuration backups for web roots, CMS components, text editors, and network device web content
- HTTP/S proxy, firewall, and network flow records involving web-facing servers or network devices
- EDR or host logs where available for web server processes creating, modifying, decoding, or transferring files
- Application logs from content management systems, plug-ins, editors, and administrative upload functions
Detection direction
- Confirm whether web-facing PHP content has a known-good baseline; alerting is weak if defenders cannot distinguish approved CMS/editor changes from unauthorized modifications.
- Hunt for newly created or recently modified PHP files, unusual inline code, encoded blobs, or files placed in upload, editor, plug-in, theme, or content directories.
- Review HTTP/S traffic for abnormal request patterns to PHP resources, encoded command-like parameters, repeated small POSTs, or responses inconsistent with normal application behavior while accounting for legitimate admin and CMS activity.
- Correlate possible web shell access with outbound downloads or uploads consistent with Ingress Tool Transfer.
- Tune detections to reduce false positives from legitimate CMS maintenance, plug-in updates, and administrative uploads by using change windows, owner validation, and source IP context.
Mitigation priorities
- Inventory and reduce exposed PHP-enabled web management surfaces, especially CMS/editor components and network device administration interfaces.
- Maintain patching and hardening of web applications, CMS components, plug-ins, editors, and device management services that can host or modify PHP content.
- Restrict administrative upload and content-editing functions with strong authentication, least privilege, and network access controls.
- Implement file integrity monitoring and recoverable configuration/content backups for web roots and device management content.
- Constrain outbound web access from web servers and network devices where operationally feasible, and monitor exceptions for C2-like web protocol behavior.
Analyst notes and limits
The most useful defensive framing is not the PHPsert name alone, but the combination of web shell persistence, encoded or obfuscated content, standard-encoded C2 data, web-protocol communications, and tool transfer relationships. The campaign relationship to Operation Digital Eye provides threat context, including reported targeting of business-to-business IT service providers in Southern Europe, while the malware description also notes historical use against targets in several countries. These details should inform prioritization, not replace environment-specific exposure analysis.
MITRE does not provide official detection text, aliases, labels, or tactics for PHPsert in the supplied object. The object platform is Network Devices, while several related techniques also list broader operating system platforms; this take does not expand PHPsert platform scope beyond the supplied malware platform. No claim is made that any specific organization is exposed or currently targeted. Confirmation requires local evidence from web content baselines, application logs, network telemetry, and incident response collection.
PHPsert
PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PHPsert has the ability to decode and decrypt obfuscated strings prior to execution.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | PHPsert can use the .php assert function to execute attacker-provided code and maintain persistence on targeted web servers.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | PHPsert has the ability to retrieve remote payloads.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PHPsert can retrieve remote files using HTTP POST.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PHPsert can use multiple obfuscation techniques including XOR encoding, hexadecimal character representation, string concatenation, and randomized variable names.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | PHPsert can use Base64-encoded values in C2 communications.Citationsentinelone operationDigitalEye Dec 2024 |
Groups, software, and campaigns
C0061: Operation Digital Eye
Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a4a14ff70fea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
sentinelone operationDigitalEye Dec 2024
Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.
Open source URL -
[2]
mitre-attack S9028Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.