Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
INJ3CTOR3 Hackers Exploit FreePBX Systems with Six-Layer Tactics

INJ3CTOR3 Hackers Exploit FreePBX Systems with Six-Layer Tactics

Posted on May 22, 2026 By CWS

A sophisticated hacking group known as INJ3CTOR3 has launched an extensive attack on FreePBX systems, utilizing a newly identified PHP webshell named JOMANGY. This webshell employs six distinct persistence layers to remain entrenched within compromised servers.

Targeting Vulnerable VoIP Systems

The attackers have set their sights on internet-facing VoIP systems, exploiting them for toll fraud by routing calls through these systems at the expense of the victims. The campaign is aggressively targeting over 3,000 IP addresses, indicating a strategy focused on large-scale automated exploitation.

FreePBX, an open-source interface for managing phone systems based on Asterisk software, is widely used by businesses. These systems manage real carrier accounts with SIP trunks capable of generating legitimate phone calls. By infiltrating these systems, hackers can reroute calls through premium-rate numbers they control, leaving victims to bear the costs without the need for additional attacks like ransomware.

INJ3CTOR3’s Persistent Campaign

Analysts at Cyble have identified this campaign and shared their findings in a comprehensive report. They confidently attribute the operation to INJ3CTOR3, a group with a history of targeting VoIP infrastructure for monetary gains since 2019. Previous efforts by the same group were documented by entities like Check Point Research and Palo Alto Unit 42.

The Shadowserver Foundation reported that over 900 FreePBX hosts were compromised in a campaign wave in early 2026. Despite public disclosure, more than 700 systems remained affected months later, highlighting the challenges in eradicating these infections even after patching known vulnerabilities.

Complex Persistence Mechanisms

The current campaign capitalizes on two key vulnerabilities: CVE-2025-64328, a post-authentication command injection flaw, and CVE-2025-57819, a pre-authentication SQL injection bug in FreePBX modules. While both vulnerabilities have been patched, the malware’s persistence mechanisms allow it to re-establish itself easily.

The six-layer persistence strategy includes cron jobs re-downloading the dropper, code injections triggered at root logins and reboots, hidden crontab copies, and a process watchdog. Additionally, webshells are installed across multiple paths in the FreePBX web directory, ensuring the infection can rebuild itself swiftly.

Minimal Detection and Multiple Backdoors

The threat actors also deploy 18 backdoor accounts across different privilege levels within the system. This includes root-equivalent privileges and service account levels, with names chosen to blend in with legitimate accounts. JOMANGY, with its dual-layer obfuscation, remains largely undetected by automated scanners.

As of the analysis, the primary dropper had minimal antivirus detections, reinforcing the need for affected organizations to rebuild systems from a clean slate. Maintaining even a single active channel allows the attackers to reinstate the entire infection stack within minutes.

Organizations are advised to follow stringent cybersecurity protocols and stay updated on threat intelligence to guard against such sophisticated attacks.

Cyber Security News Tags:cyber attack, cyber threat, Cybersecurity, FreePBX, INJ3CTOR3, JOMANGY, persistence layers, toll fraud, VoIP, Vulnerabilities

Post navigation

Previous Post: Google API Key Revocation Delay Poses Security Risks
Next Post: Russian Cyber Threats Intensify: RDP, VPN, and Social Tactics

Related Posts

Threat Actors Exploit AI Tool to Spread Infostealer Threat Actors Exploit AI Tool to Spread Infostealer Cyber Security News
Ransomware Gangs Leverage Remote Access Tools to Gain Persistence and Evade Defenses Ransomware Gangs Leverage Remote Access Tools to Gain Persistence and Evade Defenses Cyber Security News
Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware Cyber Security News
Meta Found a New Way to Track Android Users Covertly via Facebook & Instagram Meta Found a New Way to Track Android Users Covertly via Facebook & Instagram Cyber Security News
Threat Actors Attacking Systems with 240+ Exploits Before Ransomware Deployment Threat Actors Attacking Systems with 240+ Exploits Before Ransomware Deployment Cyber Security News
Bots Dominate Global Web Traffic, Surpassing Humans Bots Dominate Global Web Traffic, Surpassing Humans Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Phishing Campaign Exploits AnyDesk for Espionage
  • GitLost Flaw Exposes GitHub Repos via AI Workflow
  • VECT and TeamPCP: Unveiling the Ransomware Supply Chain Strategy
  • Global Expansion of Gentlemen Ransomware Threats
  • Critical Flaw in Google Dialogflow CX Exposed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark