Found a request in my HTTP honeypot I couldn't explain. Investigation revealed it's been scanning widely and attempting to exploit a FreePBX command injection vulnerability and install a webshell.
77.247.108.81 - - [21/Sep/2021:18:54:34 -0400] "GET /gbr.php HTTP/1.1" 400 226 "-" "gbrmss/7.29.0" "ct:text/html"
Using this IP I spotted this link which showed me the form data: https://threatwar.com/attackers/695a2a8e-3cb6-4d74-8af8-d5058079a909
Based on the request there this appears to be an RCE injected via the "language" header. Exploit here: https://www.exploit-db.com/exploits/40434
From there I investigated the initial dropper: