Campaign Overview
A threat group tracked as INJ3CTOR3 is actively targeting internet-exposed FreePBX systems in a large-scale toll fraud operation. Security researchers at Cyble’s CRIL team identified the campaign, which uses a newly discovered PHP webshell named JOMANGY. The attackers maintain a target list of over 3,000 IP addresses for automated exploitation. FreePBX is an open-source platform used by businesses to manage VoIP phone systems built on Asterisk software. These deployments often have direct access to carrier SIP trunks, enabling the routing of real phone calls. By compromising these systems, attackers initiate calls through premium-rate numbers they control, leaving the victim’s carrier to foot the bill.
Persistence Mechanisms and Impact
The JOMANGY webshell incorporates six distinct persistence layers, each capable of reconstructing the others. This design makes the infection self-healing and exceptionally difficult to remove, even after the original entry point has been patched. The Shadowserver Foundation tracked over 900 FreePBX hosts compromised during a January 2026 wave of the campaign. By May 2026, more than 700 of those systems remained infected despite five months of public disclosure. The campaign is linked to two likely entry point vulnerabilities: a post-authentication command injection flaw in the FreePBX filestore module and a pre-authentication SQL injection bug in the FreePBX Endpoint module. Both issues are addressed in current software releases, but patching an already infected host does not clean the cron infrastructure that allows the malware to re-establish itself. The INJ3CTOR3 group has targeted VoIP infrastructure for financial gain since at least 2019.
Source: Cyber Security News
