New Ensiko PHP WebShell malware with ransomware capabilities that can affect Windows, macOS and Linux systems


New Ensiko PHP WebShell malware can encrypt files and infect any Windows, macOS, Linux PC/laptop/servers that use PHP

Security researchers have discovered a new PHP WebShell malware with encryption capabilities. Trend Micro security researchers have named this new malware as Ensiko and it infects any operating system which runs any PHP script. Ensiko malware is feature-rich and can be used by threat actors for remotely controlling compromised PC/laptops/systems, steal confidential information and even work as ransomware.

Ensiko is like a malware supermarket, tt is capable of executing shell level (OS) commands and send it back to command and control servers. Plus, it can also scan systems and servers for sensitive or valuable information. To top it off, threat actors can use the Ensiko as a ransomware and demand ransom from the infected victims.

Ensiko malware features:

  • The malware can be password-protected.
  • The file-encryption component is one of the capabilities that can be used to wage attacks against servers.
  • According to the researchers at Trend Micro, the malware uses PHP RIJNDAEL_128 algorithm with CBC mode to encrypt files in a web shell directory.
  • Another function includes the recursive overwrite of all files with a specified extension in a directory of a web shell.

Trend Micro analyst Aliakbar Zahravi analyzed the Ensiko strain and found that it has a host of capabilities including remote server control and encryption. Zahravi found that  Ensiko is written in PHP and can victimize any internet-facing server or system running on an environment that supports PHP. This makes Windows, macOS as well as Linux susceptible to Ensiko attacks. As is the case with typical WebShell, Ensiko can execute code and scripts to gain remote server administration and control.

Once a system is infected, Ensiko can exhibit ransomware capabilities by encrypting stored files. It implements PHP RIJNDAEL_128 with block cipher mode of operation to encrypt files. Ensiko also has the unique ability to scan pasting website, Pastebin, and download additional malware/instructions directly from there. Threat actors use Pastebin to send new instructions to Ensiko infected systems. Once it downloads the malware/instructions, it stores them in a directory called “tools_ensikology” hence the name.

One of the unconventional characteristics of Ensiko is that it can be password protected for authentication.

Ensiko is also capable of downloading malware from images using Steganologer. Steganloger can download the malware code hidden in the images and execute them on the victim’s computer or server. Zahravi discovered that Ensiko can also check if a web shell from a predefined list is present on a remote host. Another scanning function called Remote File Check allows the operator to look for arbitrary files on a remote system.

Ensiko capabilities:

Ensiko’s malware can be used by threat actors to disrupt services like website defacing, exfiltrate, and disclose sensitive server data. It can also be used to carry out brute-force attacks against file transfer protocol (FTP), cPanel, and Telnet. It can encrypt files on the victim’s servers and demand ransom.


Ensiko malware is like multiple malware bundled into one super malware. Since it is PHP WebShell based malware it can even infect air-gapped systems (non-Internet-connected systems). The malware is designed to hide and operate as anti-virus can’t easily identify web shells. Using Pastebin for downloading further modules/instructions makes it hard to locate the command and control servers.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments