Hello and welcome to the Tuesday, April 14th,

2026 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recorded today from Stockholm, Germany.

And this episode is brought you by the Sands.edu credit certificate program in cyber security leadership.

Today I wrote about scans for an insist web shell that we observed.

These are often done as a follow-up to then scans for free ppx vulnerabilities, but also, well, just as parasitic scans,

looking for already installed web shells. Fortinet wrote about these particular web shells

back in January, but we have just seen sort of another scan for them.

Fortynet also observed them being used against free PBX system.

So if you're running free PBX, you may want to take a look at some of the indicators of compromise or such for this particular web shell.

Now, what makes it a little bit more tricky to detect is that it replaces existing files,

so you won't really see necessarily new files.

They're doing a good job in sort of fitting in on the system.

They are, however, at least the scans that I've seen adding a number of additional accounts to

the system.

So if you're just checking your Etsy password file,

you may see these specific accounts

with their preset passwords defined as part of the attack.

This particular web shell does use a password.

Now, the password parameter is called MD5,

but it's not an MD5 hash necessarily

that's being sent here. In the example, I've seen it had the format of an MD5 hash, but the

...