A sophisticated hacking group known as INJ3CTOR3 has launched an extensive attack on FreePBX systems, utilizing a newly identified PHP webshell named JOMANGY. This webshell employs six distinct persistence layers to remain entrenched within compromised servers.
Targeting Vulnerable VoIP Systems
The attackers have set their sights on internet-facing VoIP systems, exploiting them for toll fraud by routing calls through these systems at the expense of the victims. The campaign is aggressively targeting over 3,000 IP addresses, indicating a strategy focused on large-scale automated exploitation.
FreePBX, an open-source interface for managing phone systems based on Asterisk software, is widely used by businesses. These systems manage real carrier accounts with SIP trunks capable of generating legitimate phone calls. By infiltrating these systems, hackers can reroute calls through premium-rate numbers they control, leaving victims to bear the costs without the need for additional attacks like ransomware.
INJ3CTOR3’s Persistent Campaign
Analysts at Cyble have identified this campaign and shared their findings in a comprehensive report. They confidently attribute the operation to INJ3CTOR3, a group with a history of targeting VoIP infrastructure for monetary gains since 2019. Previous efforts by the same group were documented by entities like Check Point Research and Palo Alto Unit 42.
The Shadowserver Foundation reported that over 900 FreePBX hosts were compromised in a campaign wave in early 2026. Despite public disclosure, more than 700 systems remained affected months later, highlighting the challenges in eradicating these infections even after patching known vulnerabilities.
Complex Persistence Mechanisms
The current campaign capitalizes on two key vulnerabilities: CVE-2025-64328, a post-authentication command injection flaw, and CVE-2025-57819, a pre-authentication SQL injection bug in FreePBX modules. While both vulnerabilities have been patched, the malware’s persistence mechanisms allow it to re-establish itself easily.
The six-layer persistence strategy includes cron jobs re-downloading the dropper, code injections triggered at root logins and reboots, hidden crontab copies, and a process watchdog. Additionally, webshells are installed across multiple paths in the FreePBX web directory, ensuring the infection can rebuild itself swiftly.
Minimal Detection and Multiple Backdoors
The threat actors also deploy 18 backdoor accounts across different privilege levels within the system. This includes root-equivalent privileges and service account levels, with names chosen to blend in with legitimate accounts. JOMANGY, with its dual-layer obfuscation, remains largely undetected by automated scanners.
As of the analysis, the primary dropper had minimal antivirus detections, reinforcing the need for affected organizations to rebuild systems from a clean slate. Maintaining even a single active channel allows the attackers to reinstate the entire infection stack within minutes.
Organizations are advised to follow stringent cybersecurity protocols and stay updated on threat intelligence to guard against such sophisticated attacks.
