INJ3CTOR3 Strengthens Cyber Campaign with JOMANGY Webshell Targeting FreePBX Systems
Researchers from Cyble Research & Intelligence Labs (CRIL) have identified a sophisticated cyber campaign aimed at FreePBX systems, attributing the activity to the threat actor known as INJ3CTOR3. This operation introduces a new PHP webshell family, dubbed JOMANGY, and utilizes the ZenharR malware toolkit, which has been previously linked to the same actor.
Unlike traditional malware campaigns that focus on ransomware or data theft, this operation is designed to hijack telephony infrastructure. It exploits victims’ SIP trunks to generate fraudulent outbound calls, directly billing the affected organizations. The campaign showcases an unusually resilient architecture capable of surviving cleanup attempts, restoring infections within minutes.
INJ3CTOR3 Builds a Self-Healing Persistence Framework
At the core of this operation is a multi-stage Bash-based infection chain that installs six distinct persistence mechanisms across compromised FreePBX systems. These mechanisms continuously reinforce one another, forming what researchers describe as a “self-healing” malware ecosystem.
The persistence channels include cron-based command-and-control polling occurring every one to three minutes, shell profile injections triggered during reboots and root logins, immutable crontab backups secured with chattr +i, and watchdog processes that automatically relaunch malware components. Multiple immutable copies of JOMANGY webshells are distributed throughout the server, along with a self-reinstalling PHP executor embedded within the environment.
Researchers have noted that partial remediation efforts are ineffective; any surviving component can quickly rebuild the full compromise. Even if administrators remove several malicious files or cron jobs, the remaining persistence layers can silently restore the infection.
Attackers Create 18 Backdoor Accounts Across FreePBX Systems
The campaign establishes extensive unauthorized access through 18 separate backdoor accounts distributed across various privilege levels. Nine of these accounts possess UID-0 privileges, effectively granting root-level access to the attackers.
Another eight accounts mimic legitimate service accounts typically found in FreePBX systems. One additional account is inserted directly into the FreePBX MySQL database, providing administrative web-panel access. To avoid detection, the attackers have used names such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma,” allowing these malicious accounts to blend seamlessly into standard PBX administrative environments. This approach significantly reduces the likelihood of casual detection during routine inspections.
JOMANGY Introduces a New PHP Webshell Family
CRIL researchers have identified JOMANGY as a previously undocumented malware family, marking this investigation as the first publicly known analysis of the toolset. Each recovered sample employs a double-obfuscation technique that combines Base64 encoding with ROT13 transformations.
All identified payloads also contained a watermark string, trace_e1ebf9066a951be519a24140711839ea, linking the malware samples to a common development source. Beyond persistence and remote command execution, JOMANGY features active toll fraud functionality capable of initiating outbound calls through compromised PBX infrastructure. Researchers observed commands such as:
asterisk -rx “channel originate Local/
This capability allows attackers to exploit victims’ telephony infrastructure for financial gain.
Large-Scale Reconnaissance Suggests Mass Exploitation
Researchers discovered a command-and-control-hosted inventory file named people2.txt, which contains 3,080 IP addresses believed to represent automated reconnaissance results. Approximately 39 percent of the listed systems are hosted on Alibaba Cloud infrastructure located in China, Hong Kong, and Singapore, indicating a geographically broad scanning operation. The findings suggest that INJ3CTOR3 is pursuing mass exploitation rather than highly selective targeting.
Additional evidence from stolen Elastix databases and references to Issabel and Sangoma environments indicates that the campaign targets a wide range of PBX deployments across Latin America, Southeast Asia, and the Middle East.
Infrastructure Overlaps Tie the Campaign to INJ3CTOR3
The malware infrastructure exhibits strong operational continuity with earlier INJ3CTOR3 campaigns. The Stage 1 dropper aggressively removes competing malware families and defensive tools before deploying its own payloads. Researchers found that over 50 webshell signatures were deleted from infected systems, while firewall rules blocked 11 rival command-and-control IP addresses.
Interestingly, the malware also eliminated artifacts associated with the actor’s own January 2026 campaign. This suggests that the operators migrated infrastructure from Brazilian-hosted systems to Dutch-hosted servers while attempting to erase remnants of older compromises. Attribution to INJ3CTOR3 is supported by several overlapping indicators, including the marker string bm2cjjnRXac1WW3KT7k6MKTR, previously documented by Fortinet during analysis of the encystPHP campaign in January 2026.
Stage 1 Establishes Initial Control and Persistence
The infection chain unfolds in multiple stages. Stage 1 begins with a large Bash dropper that removes competing implants, creates unauthorized accounts, deploys persistence mechanisms, and wipes evidence from system logs. The malware modifies .bash_profile, .bashrc, and /etc/rc.local to ensure execution during reboots and root logins. It also installs recurring cron jobs that continuously retrieve additional payloads from the command-and-control infrastructure.
Researchers noted that the malware additionally creates immutable crontab backups and deploys watchdog processes capable of automatically restoring deleted components.
Stage 2 Deploys JOMANGY Across Legitimate FreePBX Directories
Stage 2 is delivered through k.php, which introduces the JOMANGY webshell family into compromised FreePBX systems. The payload first re-executes portions of Stage 1 to reinforce persistence before writing obfuscated PHP backdoors into legitimate FreePBX web directories. One major target is /var/www/html/admin/views/ajax.php, a legitimate administrative file frequently accessed in FreePBX environments.
Additional JOMANGY copies are deployed in locations such as rest_phones/ajax.php, admin/modules/h/, and several PBX management directories. The attackers also implement .htaccess rewrite rules that redirect arbitrary requests toward hidden webshell copies, enhancing accessibility and survivability.
Researchers observed that k.php actively reinstalls malicious MySQL backdoor accounts whenever the payload executes, ensuring administrative access is recreated even if defenders remove compromised accounts.
Possible Exploitation Paths Remain Under Investigation
Researchers could not conclusively identify the initial exploitation vector due to the unavailability of relevant web logs and exploit payloads during analysis. However, two vulnerabilities have emerged as likely candidates.
The first is CVE-2025-64328, a post-authentication command injection flaw affecting the FreePBX filestore module, which had previously been exploited during earlier INJ3CTOR3 operations. The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module capable of inserting malicious cron jobs into the scheduler. Researchers believe CVE-2025-57819 may be particularly relevant, as the campaign’s persistence architecture closely mirrors the scheduling abuse associated with the flaw.
ZenharR Malware Toolkit Expands the Infection
Stage 3 of the campaign is delivered through wr.php, a Bash-based dropper associated with the ZenharR malware toolkit. Like earlier stages, the payload reruns portions of the infection chain before deploying additional malware components. ZenharR webshells are written into key FreePBX directories, including /var/www/html/digium_phones/ajax.php and /var/www/html/admin/views/some.php.
However, researchers noted that the propagation logic also replicated the already-installed JOMANGY webshell into 15 additional locations across the web root. As a result, both JOMANGY and the ZenharR malware toolkit operate side by side on infected systems.
Another payload named wor.php was also discovered on the command-and-control server, although researchers could not identify an active trigger mechanism during analysis.
license.php Functions as a Privileged Persistence Mechanism
The license.php component acts as a highly privileged PHP command executor embedded within the FreePBX HA infrastructure. Unlike browser-accessible JOMANGY and ZenharR webshells, license.php contains no authentication controls and relies on remotely supplied format-string placeholders before activation.
Once triggered, the component enables arbitrary command execution with elevated privileges. Researchers observed that it could delete competing accounts, reset passwords for service users and even the root account, promote accounts to UID-0 privileges, modify SSH settings to preserve root access, and install dual-track cron persistence for both k.php and wr.php.
The malware also repeatedly scrubs Apache logs and communicates with root.php on the command-and-control infrastructure.
Obfuscation and Evasion Techniques Reduce Detection Rates
The campaign’s evasion methods are carefully optimized rather than excessively complex. In Stage 1, Base64 encoding is selectively applied only to highly suspicious commands, including useradd instructions responsible for creating UID-0 accounts. Cron payloads are hidden inside encoded variables, causing malicious crontab entries to appear relatively benign during casual inspection.
JOMANGY’s double-obfuscation design represents a notable evolution over earlier malware associated with INJ3CTOR3. Many automated analysis tools decode only the outer Base64 layer, leaving unreadable ROT13 output rather than functional PHP code.
Combined with dead-code anti-analysis logic, these techniques have contributed to extremely low antivirus detection rates. Researchers reported that both k.php and wr.php showed zero detections on VirusTotal during analysis, while the Stage 1 dropper was detected by only four out of 76 antivirus engines.
VoIP Toll Fraud Continues to Grow Globally
The broader implications of this campaign are substantial. Industry estimates indicate that global telecom fraud losses exceed $41 billion annually, with VoIP toll fraud representing a significant segment of the underground economy. Unlike ransomware campaigns that generate immediate visibility, toll fraud operations provide cybercriminals with a quieter and more sustainable revenue stream by routing calls through premium-rate numbers or third-party fraud networks.
FreePBX systems remain particularly attractive targets as many organizations expose management interfaces directly to the internet while operating outdated or poorly secured deployments. According to data from the Shadowserver Foundation collected in early 2026, over 900 FreePBX systems were actively compromised by related campaigns, with more than 700 remaining infected months after public disclosure and remediation guidance.
INJ3CTOR3 continues to evolve its tooling, infrastructure, and persistence techniques. The introduction of JOMANGY alongside the ZenharR malware toolkit demonstrates a highly mature threat operation specifically engineered for resilience, monetization, and long-term control over vulnerable FreePBX systems.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
