CYBLE Research & Intelligence Labs has identified a significant exploitation campaign targeting FreePBX systems, perpetrated by a threat group known as INJ3CTOR3, which has been active since 2019. This campaign involves a new malware strain called JOMANGY, designed for VoIP toll fraud, allowing attackers to route calls at the victim's expense. The malware's resilience is notable, featuring a six-channel persistence architecture that complicates remediation efforts.
It actively prevents cleanup by establishing multiple access channels and can regenerate itself if any part is removed. The campaign capitalizes on known vulnerabilities, specifically CVE-2025-64328 and CVE-2025-57819, and highlights the need for robust monitoring and complete system rebuilds for compromised servers.