JOMANGY: INJ3CTOR3’s Self-Healing FreePBX Toll Fraud Campaign

Executive Summary Cyble Research & Intelligence Labs (CRIL) has identified an active FreePBX exploitation campaign, with high confidence tied to INJ3CTOR3, an actor with a documented history of targeting VoIP infrastructure for financial gain since 2019. The campaign deploys a multi-stage Bash dropper that introduces JOMANGY, a PHP webshell family with no prior public documentation, alongside ZenharR , previously attributed to the same actor lineage. Every deployed webshell instance carries live