Researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered an advanced cyber campaign targeting FreePBX systems and, with high confidence, linked the activity to the threat actor INJ3CTOR3. The operation introduces a previously undocumented PHP webshell family named JOMANGY and deploys the ZenharR malware toolkit, which has previously been associated with the same actor.
Unlike conventional malware campaigns centered on ransomware or data theft, this operation is designed to hijack telephony infrastructure and abuse victims’ SIP trunks to generate fraudulent outbound calls billed directly to affected organizations. Researchers said the campaign demonstrates an unusually persistent architecture capable of surviving cleanup attempts and restoring infections within minutes.
INJ3CTOR3 Builds a Self-Healing Persistence Framework
At the center of the operation is a multi-stage Bash-based infection chain that installs six separate persistence mechanisms across compromised FreePBX systems. These mechanisms continuously reinforce one another, creating what researchers described as a “self-healing” malware ecosystem.
The persistence channels include cron-based command-and-control polling every one to three minutes, shell profile injections triggered during reboots and root logins, immutable crontab backups protected with chattr +i, watchdog processes that automatically relaunch malware components, multiple immutable copies of JOMANGY webshells scattered across the server, and a self-reinstalling PHP executor embedded into the environment.
Researchers noted that partial remediation efforts are ineffective because any surviving component can rapidly rebuild the full compromise. Even if administrators remove several malicious files or cron jobs, remaining persistence layers can silently restore the infection.
Attackers Create 18 Backdoor Accounts Across FreePBX Systems
The campaign also establishes extensive unauthorized access using 18 separate backdoor accounts spread across multiple privilege levels. Nine of these accounts possess UID-0 privileges, effectively granting root-level access to the attackers.
Another eight accounts imitate legitimate service accounts commonly found in FreePBX systems, while one additional account is inserted directly into the FreePBX MySQL database to provide administrative web-panel access. To avoid suspicion, the attackers used names such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma,” allowing the malicious accounts to blend into ordinary PBX administrative environments.
Researchers believe this approach significantly reduces the chances of casual detection during routine inspections.
JOMANGY Introduces a New PHP Webshell Family
CRIL researchers identified JOMANGY as a previously undocumented malware family, making this investigation the first publicly known analysis of the toolset. Every recovered sample used a double-obfuscation technique involving Base64 encoding layered over ROT13 transformations.
All identified payloads also contained the watermark string trace_e1ebf9066a951be519a24140711839ea, linking the malware samples to a common development source.
Beyond persistence and remote command execution, JOMANGY contains active toll fraud functionality capable of initiating outbound calls through compromised PBX infrastructure. Researchers observed commands such as:
asterisk -rx “channel originate Local/<num>@<context>”
This capability allows attackers to abuse victims’ telephony infrastructure directly for financial gain.
Large-Scale Reconnaissance Suggests Mass Exploitation
Researchers also discovered a command-and-control-hosted inventory file named people2.txt containing 3,080 IP addresses believed to represent automated reconnaissance results.
Approximately 39 percent of the listed systems were hosted on Alibaba Cloud infrastructure located in China, Hong Kong, and Singapore, suggesting a geographically broad scanning operation. The findings indicate that INJ3CTOR3 is pursuing mass exploitation rather than highly selective targeting.
Additional evidence recovered from stolen Elastix databases and references to Issabel and Sangoma environments suggests the campaign targets a wide range of PBX deployments across Latin America, Southeast Asia, and the Middle East.
Infrastructure Overlaps Tie the Campaign to INJ3CTOR3
The malware infrastructure demonstrated strong operational continuity with earlier INJ3CTOR3 campaigns. The Stage 1 dropper aggressively removed competing malware families and defensive tooling before deploying its own payloads.
Researchers found that more than 50 webshell signatures were deleted from infected systems, while firewall rules blocked 11 rival command-and-control IP addresses.
Interestingly, the malware also removed artifacts associated with the actor’s own January 2026 campaign. Researchers believe this indicates that the operators migrated infrastructure from Brazilian-hosted systems to Dutch-hosted servers while attempting to erase remnants of older compromises.
Attribution to INJ3CTOR3 is supported by several overlapping indicators. Researchers identified the marker string bm2cjjnRXac1WW3KT7k6MKTR, previously documented by Fortinet during analysis of the encystPHP campaign in January 2026.
Additional overlaps involving command-and-control infrastructure, file paths, credential implantation patterns, and binary names matched prior reporting from Palo Alto Networks Unit 42, Check Point Research, and SANS Internet Storm Center.
Stage 1 Establishes Initial Control and Persistence
The infection chain unfolds in multiple stages. Stage 1 begins with a large Bash dropper that removes competing implants, creates unauthorized accounts, deploys persistence mechanisms, and wipes evidence from system logs.
The malware modifies .bash_profile, .bashrc, and /etc/rc.local to ensure execution during reboots and root logins. It also installs recurring cron jobs that continuously retrieve additional payloads from the command-and-control infrastructure.
Researchers said the malware additionally creates immutable crontab backups and deploys watchdog processes capable of restoring deleted components automatically.
Stage 2 Deploys JOMANGY Across Legitimate FreePBX Directories
Stage 2 is delivered through k.php, which introduces the JOMANGY webshell family into compromised FreePBX systems.
The payload first re-executes portions of Stage 1 to reinforce persistence before writing obfuscated PHP backdoors into legitimate FreePBX web directories. One major target is /var/www/html/admin/views/ajax.php, a legitimate administrative file frequently accessed in FreePBX environments.
Additional JOMANGY copies are deployed into locations such as rest_phones/ajax.php, admin/modules/h/, and several PBX management directories. The attackers also implement .htaccess rewrite rules that redirect arbitrary requests toward hidden webshell copies, improving accessibility and survivability.
Researchers observed that k.php actively reinstalls malicious MySQL backdoor accounts whenever the payload executes, ensuring administrative access is recreated even if defenders remove compromised accounts.
Possible Exploitation Paths Remain Under Investigation
Researchers could not conclusively identify the initial exploitation vector because relevant web logs and exploit payloads were unavailable during analysis. However, two vulnerabilities emerged as likely candidates.
The first is CVE-2025-64328, a post-authentication command injection flaw affecting the FreePBX filestore module. The vulnerability had previously been exploited during earlier INJ3CTOR3 operations.
The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the FreePBX Endpoint module capable of inserting malicious cron jobs into the scheduler.
CRIL researchers believe CVE-2025-57819 may be particularly relevant because the campaign’s persistence architecture closely mirrors the scheduling abuse associated with the flaw. Earlier malware variants reportedly disabled the Endpoint module after exploitation, while the latest campaign leaves it active.
ZenharR Malware Toolkit Expands the Infection
Stage 3 of the campaign is delivered through wr.php, a Bash-based dropper associated with the ZenharR malware toolkit.
Like earlier stages, the payload reruns portions of the infection chain before deploying additional malware components. ZenharR webshells are written into key FreePBX directories, including /var/www/html/digium_phones/ajax.php and /var/www/html/admin/views/some.php.
However, researchers noted that the propagation logic also replicated the already-installed JOMANGY webshell into 15 additional locations across the web root. As a result, both JOMANGY and the ZenharR malware toolkit operate side by side on infected systems.
Another payload named wor.php was also discovered on the command-and-control server, although researchers could not identify an active trigger mechanism during analysis.
license.php Functions as a Privileged Persistence Mechanism
The license.php component acts as a highly privileged PHP command executor embedded within the FreePBX HA infrastructure.
Unlike browser-accessible JOMANGY and ZenharR webshells, license.php contains no authentication controls and relies on remotely supplied format-string placeholders before activation.
Once triggered, the component enables arbitrary command execution with elevated privileges. Researchers observed that it could delete competing accounts, reset passwords for service users and even the root account, promote accounts to UID-0 privileges, modify SSH settings to preserve root access, and install dual-track cron persistence for both k.php and wr.php.
The malware also repeatedly scrubbed Apache logs and communicated with root.php on the command-and-control infrastructure.
Obfuscation and Evasion Techniques Reduce Detection Rates
The campaign’s evasion methods were carefully optimized rather than excessively complex. In Stage 1, Base64 encoding was selectively applied only to highly suspicious commands, including useradd instructions responsible for creating UID-0 accounts.
Cron payloads were hidden inside encoded variables, causing malicious crontab entries to appear relatively benign during casual inspection.
JOMANGY’s double-obfuscation design represents a notable evolution over earlier malware associated with INJ3CTOR3. Many automated analysis tools decode only the outer Base64 layer, leaving unreadable ROT13 output rather than functional PHP code.
Combined with dead-code anti-analysis logic, these techniques contributed to extremely low antivirus detection rates. Researchers reported that both k.php and wr.php showed zero detections on VirusTotal during analysis, while the Stage 1 dropper was detected by only four out of 76 antivirus engines.
VoIP Toll Fraud Continues to Grow Globally
The broader implications of the campaign are substantial. Industry estimates place global telecom fraud losses at more than $41 billion annually, with VoIP toll fraud representing a major segment of the underground economy.
Unlike ransomware campaigns that generate immediate visibility, toll fraud operations provide cybercriminals with a quieter and more sustainable revenue stream by routing calls through premium-rate numbers or third-party fraud networks.
FreePBX systems remain particularly attractive targets because many organizations expose management interfaces directly to the internet while running outdated or poorly secured deployments.
According to data from the Shadowserver Foundation collected in early 2026, more than 900 FreePBX systems were actively compromised by related campaigns, while over 700 remained infected months after public disclosure and remediation guidance.
Researchers concluded that INJ3CTOR3 continues to evolve its tooling, infrastructure, and persistence techniques. The introduction of JOMANGY alongside the ZenharR malware toolkit demonstrates a highly mature threat operation specifically engineered for resilience, monetization, and long-term control over vulnerable FreePBX systems.
