Back

INJ3CTOR3 Targets FreePBX with JOMANGY Webshell in VoIP Exploitation Campaign

Severity: High (Score: 66.9)

Sources: Thecyberexpress, Gbhackers

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: freepbx, hackers, inj3ctor3, advanced, systems, campaign, high

Summary

A cyber campaign attributed to INJ3CTOR3 is exploiting FreePBX systems using a new PHP webshell called JOMANGY. This operation employs a multi-stage Bash dropper that installs six-layer persistence mechanisms, allowing attackers to maintain control over compromised systems. The campaign has established 18 backdoor accounts, nine of which have root-level access, facilitating unauthorized access and control. This attack is primarily aimed at hijacking telephony infrastructure to generate fraudulent calls, impacting organizations directly. The persistence mechanisms are designed to survive cleanup efforts, making remediation challenging. Researchers from Cyble Research & Intelligence Labs have linked this activity to INJ3CTOR3, a group known for targeting VoIP systems for financial gain since 2019. The campaign represents a significant threat to organizations using FreePBX systems. Key Points: • INJ3CTOR3 is exploiting FreePBX systems with a new PHP webshell named JOMANGY. • The attack establishes 18 backdoor accounts, including nine with root access. • The persistence mechanisms can survive cleanup attempts, complicating remediation.

Detailed Analysis

**Impact** FreePBX systems globally are targeted, with at least 3,080 IP addresses identified in reconnaissance scans, including 39% hosted on Alibaba Cloud in China, Hong Kong, and Singapore. The campaign enables attackers to hijack telephony infrastructure and generate fraudulent outbound calls, causing direct financial losses to affected organizations. Multiple sectors using VoIP infrastructure are at risk due to unauthorized root-level access and administrative control over PBX environments. **Technical Details** The attack uses a multi-stage Bash-based infection chain deploying six persistence mechanisms, including cron jobs, shell profile injections, immutable crontab backups, watchdog processes, and multiple JOMANGY PHP webshell copies. The previously undocumented JOMANGY webshell uses double obfuscation (Base64 over ROT13) and contains the watermark trace_e1ebf9066a951be519a24140711839ea. Attackers create 18 backdoor accounts, nine with UID-0 privileges, and one account inserted into the FreePBX MySQL database. The operation abuses SIP trunks via commands like `asterisk -rx "channel originate Local/ @"` to initiate toll fraud. No CVEs exploited were specified. **Recommended Response** Immediately audit FreePBX systems for unauthorized cron jobs, suspicious user accounts (especially those mimicking service accounts), and the presence of JOMANGY webshell indicators including the watermark string. Harden access controls by removing unknown accounts and resetting credentials, and monitor for unusual outbound SIP call activity. Implement file integrity monitoring to detect immutable file attributes and self-healing persistence mechanisms. No specific patches were mentioned; focus on detection and removal of all persistence layers to prevent rapid reinfection.

Source articles (2)

  • Hackers Use Six — Gbhackers · 2026-05-22
    Hackers are actively exploiting FreePBX systems using a highly resilient six-layer persistence mechanism. The campaign has been attributed with high confidence to the threat actor INJ3CTOR3, known for…
  • INJ3CTOR3 Deploys JOMANGY Webshell in Advanced FreePBX Attacks — Thecyberexpress · 2026-05-22
    Researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered an advanced cyber campaign targeting FreePBX systems and, with high confidence, linked the activity to the threat actor INJ3CTOR…

Timeline

  • 2025-08-28 — CVE-2025-57819 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-11-07 — CVE-2025-64328 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-22 — INJ3CTOR3 campaign discovered: Cyble Research & Intelligence Labs reported an advanced campaign targeting FreePBX systems with JOMANGY webshell.
  • 2026-05-22 — Persistence mechanisms detailed: The campaign employs a six-layer persistence mechanism to maintain control over compromised FreePBX systems.

CVEs

  • CVE-2025-57819
  • CVE-2025-64328

Related entities

  • Inj3ctor3 (Apt Group)
  • Malware (Attack Type)
  • China (Country)
  • Singapore (Country)
  • Cwe-89 - SQL Injection (Cwe)
  • root.as (Domain)
  • Jomangy (Malware)
  • ZenharR (Malware)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • Alibaba Cloud (Company)
  • Sangoma (Company)
  • Apache (Platform)
  • Asterisk (Platform)
  • Elastix (Platform)
  • FreePBX (Platform)
  • Issabel (Platform)
  • MySQL (Platform)
  • Bash (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed