Thecyberexpress
INJ3CTOR3 Targets FreePBX Systems with JOMANGY Webshell and VoIP Toll Fraud
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A cyber campaign attributed to the threat actor INJ3CTOR3 is targeting FreePBX systems, deploying a new PHP webshell named JOMANGY. This operation utilizes a six-layer persistence mechanism to maintain control over compromised systems, allowing attackers to exploit victims' SIP trunks for fraudulent VoIP calls. The campaign has introduced 18 backdoor accounts, nine of which have root-level access, making detection challenging. Researchers from Cyble Research & Intelligence Labs (CRIL) have linked this activity to previous operations involving the ZenharR malware toolkit. The attack leverages vulnerabilities such as CVE-2025-64328 and CVE-2025-57819 to gain initial access. The scope of impact is global, with a significant focus on systems hosted on Alibaba Cloud. Current remediation efforts are largely ineffective due to the self-healing nature of the malware.
Key Points: • INJ3CTOR3 is exploiting FreePBX systems using a new webshell called JOMANGY. • The campaign employs a six-layer persistence mechanism, making removal difficult. • Eighteen backdoor accounts, including nine with root access, enhance the attack's stealth.