Proprietary 2016-01-01 · 1126 days ·Remote Code Execution, Backdoor, Data Theft

phpStudy package carried PHP DLL backdoor

phpStudy distributions for Windows carried a backdoored PHP extension DLL that executed base64 PHP code from HTTP headers. Police reporting later tied the backdoor to large-scale host control and data theft.

Story

phpStudy was a Windows bundle for local PHP development and small server deployments. In 2019, public reporting said the phpStudy package released in 2016 had been maliciously planted with a backdoor, and that the maintainer removed the tampered package in January 2019.

The backdoor lived in PHP extension code, not in a visible installer script. Public reproductions identified php_xmlrpc.dll under PHP 5.2.17 and 5.4.45 paths. The DLL inspected request headers and, when the right conditions were met, decoded attacker-supplied base64 PHP from Accept-Charset.

The execution path was direct. Requests used Accept-Encoding: gzip,deflate and a base64 payload in Accept-Charset; the extension decoded the payload and passed it to PHP evaluation. That turned any exposed phpStudy-hosted application into unauthenticated remote code execution as the web server user.

NSFOCUS cited Hangzhou police reporting that the planted backdoor was used to control more than 670,000 computers and collect more than 100,000 pieces of data, including accounts, passwords, chat data, and device identifiers. This record tracks the software supply-chain insertion, not later exploitation of individual exposed servers.

Affected Artifacts

phpStudy

windows installer · xp.cn · Binary Archive

Observed: 2016-01-01 to 2019-01-31
Compromised Versions: 5.4

5.4.45
Fixed: Not listed
Hashes: md5:c339482fd2b233fb0a555b629c0ea5d5
Evidence: distribution: xp.cn/phpstudy, mirror: github.com/jas502n/PHPStudy-Backdoor, file: php/php-5.4.45/ext/php_xmlrpc.dll, cve: CVE-2025-34061 , +3 more

NSFOCUS described the affected scope as the PHP 5.4 distribution in the phpStudy 2016 package and said the developer removed the backdoor in January 2019.
NVD and the GitHub Advisory Database describe broader PHPStudy 2016 through 2018 exposure; this artifact records the narrower DLL and version detail with public hashes.

phpStudy

windows installer · xp.cn · Binary Archive

Observed: 2016-01-01 to 2019-01-31
Compromised Versions: 5.2.17
Fixed: Not listed
Hashes: md5:0f7ad38e7a9857523dfbce4bce43a9e9
Evidence: distribution: xp.cn/phpstudy, mirror: github.com/jas502n/PHPStudy-Backdoor, file: php/php-5.2.17/ext/php_xmlrpc.dll, cve: CVE-2025-34061 , +1 more

Public proof-of-concept analysis found the same eval markers in the PHP 5.2.17 php_xmlrpc.dll shipped with affected phpStudy distributions.

Incident Context

Motive: Credential Theft
Attribution: Person
Cause: Compromised Build Or Distribution
Transitive: No
Actor: Individual Hacker
User Impact: 670000

External References

phpStudy Backdoor Event Threat Alertnsfocusglobal.com
PHPStudy-Backdoorgithub.com
PHPStudy backdoor remote code executiongithub.com
CVE-2025-34061 Detailnvd.nist.gov
Metasploit module phpstudy_backdoor_rceraw.githubusercontent.com

Source record: proprietary/phpstudy/meta.yaml