RE: https://infosec.exchange/@shadowserver/116127228590059956

These were infected with the EncystPHP webshell: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp