“Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want,” the representative wrote.