INJ3CTOR3 Targets FreePBX Systems with JOMANGY Webshell and VoIP Toll Fraud

INJ3CTOR3 Targets FreePBX Systems with JOMANGY Webshell and VoIP Toll Fraud

First seen 22 May 2026, 13:58 UTC ThecyberexpressGbhackersCybersecuritynewscyble.com 85% similarity 71.0

Article Content

Browse articles
ThreatCluster

A cyber campaign attributed to the threat actor INJ3CTOR3 is targeting FreePBX systems, deploying a new PHP webshell named JOMANGY. This operation utilizes a six-layer persistence mechanism to maintain control over compromised systems, allowing attackers to exploit victims' SIP trunks for fraudulent VoIP calls. The campaign has introduced 18 backdoor accounts, nine of which have root-level access, making detection challenging. Researchers from Cyble Research & Intelligence Labs (CRIL) have linked this activity to previous operations involving the ZenharR malware toolkit. The attack leverages vulnerabilities such as CVE-2025-64328 and CVE-2025-57819 to gain initial access. The scope of impact is global, with a significant focus on systems hosted on Alibaba Cloud. Current remediation efforts are largely ineffective due to the self-healing nature of the malware.

Key Points: • INJ3CTOR3 is exploiting FreePBX systems using a new webshell called JOMANGY. • The campaign employs a six-layer persistence mechanism, making removal difficult. • Eighteen backdoor accounts, including nine with root access, enhance the attack's stealth.

ThreatCluster AI

Timeline

2021-12-22
CVE-2021-45461 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-08-28
CVE-2025-57819 published
A pre-authentication SQL injection vulnerability in FreePBX was disclosed, allowing unauthorized access.
Gbhackers
2025-11-07
CVE-2025-64328 published
A command injection flaw in the FreePBX filestore module was published, enabling potential exploitation.
Gbhackers
2026-02-03
CVE-2025-64328 added to CISA KEV
CISA added CVE-2025-64328 to its Known Exploited Vulnerabilities list due to active exploitation.
Gbhackers
Recent
INJ3CTOR3 campaign identified
Cyble Research & Intelligence Labs reported ongoing exploitation of FreePBX systems by INJ3CTOR3 using JOMANGY.
Thecyberexpress

Community

Browse all →