Massive FreePBX Exploitation Campaign Deploys JOMANGY Webshell

Cyble Research & Intelligence Labs recently uncovered a highly aggressive FreePBX exploitation campaign. Analysts attribute this malicious operation to a threat group known as INJ3CTOR3. Historically, this actor has targeted telecommunications networks for financial gain since 2019. The latest campaign presents significant infrastructure risks to enterprises globally. Specifically, the operators use automated mass exploitation tools to compromise exposed Voice over IP servers. Consequently, hundreds of organizations running unhardened systems face immediate financial liabilities.

The Rise of JOMANGY and Toll Fraud

To begin with, the core weapon in this operation is a new malware strain. Analysts named this unique finding the JOMANGY webshell. According to the official report, “JOMANGY is a PHP webshell family with no prior public documentation”. This hidden script uses a double-layer obfuscation scheme consisting of Base64 encoding over ROT13.

Furthermore, the main objective of this deployment is systematic monetization. The researchers noted that “Every deployed webshell instance carries live VoIP toll fraud code that routes calls through the victim’s own SIP trunks at the victim’s expense”. Attackers route costly traffic through premium numbers to generate automated profits.

Unprecedented Six-Channel Persistence Architecture

Furthermore, the hackers designed an incredibly resilient framework to maintain their access. This layout sets the operation apart from typical malware threats. Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include recurring cron polling, shell profile insertion, and automated process watchdogs. In addition, the malware places copies of the script in over twelve distinct filesystem locations. The report explicitly highlights that “Any single surviving channel re-establishes the full infection within minutes”. Therefore, standard administrative cleanup routines fail to completely clear the intrusion.

Resilience Against Remediation

Because the persistence channels protect each other, partial remediation remains completely useless. For instance, removing a single cron entry will not stop the infection. The automated process watchdog will simply download a fresh copy of the script. Moreover, the hackers applied immutable file attributes to their primary directories. This prevents root users from deleting the files directly. Consequently, security teams must treat a compromised system with extreme caution. Experts suggest a complete system rebuild from a clean baseline is necessary.

Competitor Eviction and Botnet Migration

Interestingly, the initial stage dropper script enforces strict domain control. When it executes, it aggressively cleanses the environment of other cybercriminals. For example, the payload scans for fifty distinct third-party webshell signatures. It deletes competing files and blocks eleven adversary control servers bidirectionally. Concurrently, the code performs a self-eviction routine against its own older campaign files. This calculated step indicates that the operator is actively migrating their infrastructure. Specifically, the group moved its active botnet servers from Brazilian systems to Dutch networks.

Vulnerability Targets and Remediation Challenges

Ultimately, the FreePBX exploitation campaign relies on known security loopholes for initial access. Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819. Many systems remain exposed because administrators fail to apply patches promptly. However, security data shows that patching alone will not resolve active infections. If a server is already compromised, the underlying cron setup continues to run silently. Therefore, organizations must implement comprehensive telemetry monitoring to protect their communication hubs.