AS4 - PHP Zerodium Backdoor

In March 2023 it was discovered that a bad actor succeeded to infect the official PHP code with a backdoor. PHP is one the most common technologies for web applications - a succesful attack would have meant taking over millions of servers.



T0137 - Weak Authentication Methods

As part of the action items after the breach was to enable MFA
T0137 page

Initial Access

T0180 - Compromise Services / Servers

PHP Git server was maitained by the PHP developers. After the breach they decided to move to Github.
T0180 page

Defense Evasion

T0195 - Spoofed Commits

The attackers tried to impersonate two PHP developers
T0195 page


T0191 - Malicious Code In Artifacts

On March 28th, 2021, two commits to the source code of PHP were more than extraordinary. They contained a backdoor which would execute if HTTP_USER_AGENTT string starts with ‘zerodium’.
T0191 page

Resource Development

T0111 - Malicious Code Contribution To An Open-Source Repository

T0111 page


T0172 - Runtime Backdoor

The backdoor would execute commands when a http request with user-agent zerodium was sent
T0172 page


PHP Zerodium Backdoor
PHP Userss