Threat Actors Deploy Multi-Layer Persistence On Compromised FreePBX Servers

An active, large-scale campaign attributed to INJ3CTOR3 is exploiting FreePBX VoIP systems worldwide to install a novel JOMANGY PHP webshell and ZenharR toolset for telecom toll fraud; the operation includes multi-layer persistence, deployment of root-equivalent accounts, eviction of competing actors, and mass C2 infrastructure (≈3,080 IPs, ~39% on Alibaba Cloud), with likely use of CVE-2025-64328 and CVE-2025-57819 for initial access.