Unlocked PHP Installation Exposes Threat Actor Malware Platform

A misconfigured PHP installation page publicly exposed the internal infrastructure of a live malware distribution platform. This oversight allowed a security researcher to gain unintentional administrative access to a threat actor’s dashboard.

What initially appeared to be a fake software download site turned out to be an active backend system used to deliver malware.

During routine IOC validation and web enumeration, several sensitive directories were discovered, including an exposed installation endpoint located at “/install/install.php”.

The presence of this installer on a live production system proved to be a critical security flaw. The PHP application lacked safeguards to verify whether it had already been installed, allowing the setup process to be rerun.

After analyzing a suspicious domain shared on X, the researcher reinitialized the application by configuring a controlled MySQL instance and supplying the installer with connection details.

As part of the process, the system created a new database schema. It prompted the creation of an administrator account, effectively granting full administrative access.

Unlocked PHP Installation Page Exposed Malware

Initially, accessing the dashboard resulted in a 500 Internal Server Error due to inconsistencies between the application and the newly configured database.

However, after the threat actor restored the backend configuration, the researcher regained access without having to log in again.

This was possible because the application relied on server-side session handling without properly invalidating active sessions.

The previously issued session token remained valid, allowing seamless access to the administrative panel.

Further analysis revealed that the platform was a relatively simple but functional malware distribution system.

It consisted of a PHP-based admin panel connected to a MySQL database, with file storage used to host malicious payloads.

The system generated dynamic download pages based on URL parameters and used multi-stage redirection chains to route victims.

In several cases, intermediary services were used before redirecting users to the final malware-hosting domain, helping the attackers evade detection.

The administrative dashboard included features for managing downloads, tracking visitor activity, and configuring campaign settings, indicating a structured operation rather than a basic phishing setup.

Despite its functionality, the infrastructure suffered from weak security practices, particularly around deployment and session management.

Indicators of compromise (IoCs):

Domains: micronsoftwares[.]com, wetransfer[.]ICU.

SHA256: 7b03fb383a5ce784a3cb9b0f8a76a84e984d14e553de5d98faff3d07d9793085.

According to Potato, in a report shared with Cybersecurity News, this incident highlights how even active threat actor infrastructure can be compromised by simple misconfigurations.

The failure to turn off installation scripts and enforce proper session controls created an unintended entry point into the system.

Although the researcher briefly gained administrative access, the vulnerability was later patched by the operators. The malicious infrastructure, however, remains active and continues to distribute malware.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.