The INJ3CTOR3 Campaign: The Six-Layer Persistence Architecture in FreePBX Exploitation

Security researchers have identified a sophisticated and highly resilient exploitation campaign targeting FreePBX systems. This operation is attributed with high confidence to the threat actor INJ3CTOR3, a group with a documented history of targeting VoIP (Voice over IP) infrastructure for financial gain dating back to 2019. Unlike traditional ransomware campaigns that seek to encrypt data for extortion, this actor focuses on high-margin, low-noise VoIP toll fraud.

The technical execution begins with a multi-stage Bash dropper. This payload facilitates the deployment of a newly discovered PHP webshell family, dubbed JOMANGY, which works in tandem with the established ZenharR webshell. By gaining a foothold through these shells, attackers can manipulate the underlying Asterisk telephony engine to route unauthorized calls through the victim’s SIP trunks, effectively monetizing the organization’s communication infrastructure.

Campaign Architecture
Campaign Architecture Overview (Source: CRIL)

The Self-Healing Mechanism: Six Layers of Persistence

What distinguishes this campaign from standard automated attacks is its “self-healing” architecture. Cyble Research & Intelligence Labs (CRIL) has detailed a six-layer persistence mechanism designed to make traditional remediation nearly impossible. If a defender identifies and deletes a single malicious component, one of the remaining five layers will automatically reinstall the infection chain within minutes.

The layers include:

  • Cron-based C2 Polling: Scheduled tasks that periodically check for new commands from the Command-and-Control (C2) server.
  • Shell Profile Modification: Altering user profiles to trigger malicious execution upon login or system reboot.
  • Immutable Crontab Backups: Utilizing Linux file attributes to protect backup crontabs, preventing standard administrative tools from modifying or deleting them.
  • Process Watchdogs: Active monitoring processes that instantly restart any killed malicious components.
  • Redundant Webshells: Multiple, geographically or directory-distributed copies of the webshells to ensure continuous access.
  • PHP-based Reinstallers: A master executor capable of rebuilding the entire six-layer stack from scratch if it detects a partial wipe.

Because of this interlocking design, partial remediation is often futile. Security professionals are frequently forced to move beyond simple file deletion and instead opt for a complete system rebuild from a known-clean state.

Dashboard Victim overview
Dashboard Victim Overview showing target distribution (Source: CRIL)

Lateral Movement and Credential Obfuscation

The infection footprint is extensive. Upon successful exploitation, the malware creates approximately 18 backdoor accounts across the system. To avoid detection by sysadmins, these accounts are cleverly named to mimic legitimate services, such as asterisk, freepbxuser, and spamfilter. Notably, nine of these accounts are provisioned with root-equivalent privileges, providing the attackers with total control over the OS.

In terms of target scale, researchers identified a C2 server managing a list of 3,080 IP addresses slated for exploitation. While the campaign is global, there is a significant concentration on Alibaba Cloud infrastructure (approximately 39%), suggesting a strategic focus on the Asia-Pacific market.

Initial Access Vectors and Vulnerability Analysis

While the exact entry point remains under investigation, the technical characteristics of the attack point toward two critical vulnerabilities:

  1. CVE-2025-64328: A command injection vulnerability within the FreePBX filestore module.
  2. CVE-2025-57819: A pre-authentication SQL injection in the Endpoint module. Given its ability to be exploited without valid credentials, this is the most likely candidate for the massive automated scanning observed.

Furthermore, the malware exhibits “aggressive monopoly” behavior. It contains routines designed to detect and eliminate competing webshells or rival C2 agents on the same host. This ensures that INJ3CTOR3 maintains exclusive control over the victim’s SIP resources.

k.php payload
The k.php payload component (Source: CRIL)

The Persistence Challenge

The sophistication of the INJ3CTOR3 campaign highlights a critical weakness in the VoIP landscape. Despite the availability of patches for the underlying vulnerabilities, data from Shadowserver indicates that hundreds of FreePBX systems remain vulnerable and compromised months after disclosure.

For organizations relying on internet-facing VoIP infrastructure, this serves as a stark reminder that patching is only the first step; deep forensic auditing is required to ensure that persistent backdoors haven’t already established a foothold.

Related Articles

Back to top button