A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems, deploying a newly discovered PHP webshell called JOMANGY that uses six separate persistence layers to stay embedded on compromised servers.
The campaign targets internet-exposed VoIP phone systems and routes calls through them at the victims’ expense, a scheme known as toll fraud. With a target list of over 3,000 IP addresses, the operation is designed for mass automated exploitation.
FreePBX is an open-source interface used by businesses to manage phone systems built on Asterisk software. These setups handle real carrier accounts with SIP trunks that can originate actual phone calls.
For an attacker, gaining access means routing calls through premium-rate numbers they control and letting the victim’s carrier send the bill, with none of the overhead that comes with ransomware or data theft.
Analysts at Cyble (CRIL) identified the campaign and published a detailed report shared with Cyber Security News.
Researchers tied the operation to INJ3CTOR3 with high confidence, an actor that has targeted VoIP infrastructure for financial gain since at least 2019. Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026.
Campaign Architecture (Source – Cyble)
The Shadowserver Foundation tracked over 900 FreePBX hosts compromised during the January 2026 campaign wave.
By May 2026, more than 700 of those systems remained infected despite five months of public disclosure. That number reflects how genuinely difficult these infections are to clear, even after the original entry point has been patched.
Two vulnerabilities are the most likely entry points for the current campaign. CVE-2025-64328 is a post-authentication command injection flaw in the FreePBX filestore module, while CVE-2025-57819 is a pre-authentication SQL injection bug in the FreePBX Endpoint module.
Both are patched in current FreePBX releases, though patching an already-infected host leaves the cron infrastructure running and the malware fully capable of re-establishing itself.
Hackers Use Six-Layer Persistence to Maintain Access
What sets this campaign apart is how its persistence was engineered. The six channels are not independent backups sitting in parallel.
Each one can reconstruct every other channel, making the infection genuinely self-healing. Clearing five of the six still hands the attacker a recovery window measured in minutes.
The first channel polls the attacker’s command-and-control server every one to three minutes via scheduled cron jobs, continuously re-downloading and re-executing the dropper.
The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files. The third stores eight immutable crontab copies in hidden directories, protected by a file attribute that silently blocks deletion even by root, backed by two separate restore loops.
JOMANGY Webshell Operator Panel (Source – Cyble)
The fourth is a process watchdog that immediately re-downloads the dropper if the beacon processes disappear. The fifth plants webshell copies across more than twelve paths in the FreePBX web tree, many locked immutable, where a single authenticated request to any survivor rebuilds the full infection stack.
The sixth is a PHP executor in the FreePBX high-availability module providing privileged command execution independently of all other channels.
Eighteen Hidden Accounts and Near-Zero Detection
The infection also quietly drops 18 backdoor accounts across three tiers. Nine carry full root-equivalent privileges, eight operate at the service account level, and one is injected into the FreePBX web panel database via MySQL.
Account names like asterisk, freepbxuser, and spamfilter were deliberately chosen to blend into the legitimate account list administrators would expect to find.
JOMANGY had no prior public documentation before this analysis and uses double-layer obfuscation combining base64 encoding and ROT13 to defeat automated scanners.
At the time of research, the primary dropper had only four detections across 76 antivirus engines, while k.php and wr.php had zero.
Anyone dealing with a confirmed infection is advised to rebuild from a clean baseline, as leaving even one channel active gives the attacker enough leverage to restore the entire infection stack within minutes.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address45[.]95[.]147[.]178Primary C2 server (AS49870 Alsycon B.V., Netherlands) IP Address45[.]234[.]176[.]202Prior campaign C2 (January 2026 encystPHP campaign, Brazilian infrastructure) IP Address160[.]119[.]76[.]250Scanner/reconnaissance node in same AS49870 allocation as primary C2 IP Address169[.]150[.]218[.]33Operator VPN IP embedded in wor.php ZenharR instance (Datapacket AS212238) IP Address169[.]150[.]218[.]37Operator VPN IP embedded in wr.php ZenharR instance IP Address146[.]70[.]129[.]114Earlier operator VPN IP embedded in early JOMANGY variant (M247 Europe SRL) File Hash (MD5)b506fc82Stage 1 Bash dropper (23,355 bytes); 4 detections across 76 AV engines File Hash (MD5)100259afStage 2 k.php (~45KB Bash); zero VirusTotal detections at time of analysis File Hash (MD5)49abb105Alternate k.php variant retrieved from VirusTotal (2026-04-29) File Hash (MD5)d40180f7Stage 3 wr.php (27KB Bash ZenharR dropper); zero VirusTotal detections File Hash (MD5)995e6304wor.php (13KB Bash, parallel ZenharR dropper) File Hash (MD5)71d94479Prior campaign (January 2026) encystPHP dropper File Hash (SHA256 partial)039d648bEarly JOMANGY webshell variant; VT first seen 2026-04-07 File Hash (MD5)a8b65af6c142736ccf80420e44df240fzen.php; assessed as ZenharR payload integrity reference File Hash (MD5)ec4ca4db5ec0b782e51224fa7082ac06Live auth token served by ask.php and _md5.php on C2 File Hash (MD5)b92c65af386ed772972b43cab0d55a4aZenharR auth hash embedded in wor.php instance File Hash (MD5)bfcedbc1831779921a0ee2cfaee004f2Auth hash in early JOMANGY variant (039d648b) File Hash (MD5)cf710203400b8c466e6dfcafcf36a411Third ZenharR hash observed by SANS ISC at /admin/modules/phones/ajax.php File Hash (SHA1)6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9SHA1 password hash for backdoor FreePBX web panel account “freepbxusers” Watermark Stringtrace_e1ebf9066a951be519a24140711839eaJOMANGY webshell watermark present in every deployed instance Marker Stringbm2cjjnRXac1WW3KT7k6MKTRUnique marker from January 2026 encystPHP dropper; used as grep eviction target URLhxxp://45[.]95[.]147[.]178/k.phpStage 2 dropper download URL (cron-polled every 1-3 minutes) URLhxxp://45[.]95[.]147[.]178/z/wr.phpStage 3 ZenharR dropper download URL URLhxxp://45[.]95[.]147[.]178/z/wor.phpParallel ZenharR dropper URL URLhxxp://45[.]95[.]147[.]178/z/post/root.phpPost-exploitation callback URL (root execution track) URLhxxp://45[.]95[.]147[.]178/z/post/noroot.phpPost-exploitation callback URL (non-root execution track) File Namepeople2.txtC2-hosted IP inventory file containing 3,080 assessed target addresses File Namelicense.phpPHP executor written to /var/www/html/admin/modules/freepbx_ha/license.php File NametryRoot1.shEmbedded shell script that writes license.php and triggers FreePBX HA hooks Backdoor Accountnewfpbx, newfpbxs, xhimaxUID-0 OS backdoor accounts created via base64-obfuscated useradd commands Backdoor Accountcentos, admin, support, issabel, sangoma, emoAdditional UID-0 OS backdoor accounts created in plaintext by Stage 1 Backdoor Accountsugarmaint, spamfilter, asteriskuser, supports, freepbxuser, supermaint, asterisk, himaService-tier OS backdoor accounts sharing same MD5-crypt password hash Backdoor AccountfreepbxusersFreePBX web panel admin account injected into MySQL ampusers table
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems appeared first on Cyber Security News.
