INJ3CTOR3
INJ3CTOR3 is a financially motivated threat actor focused on VoIP and PBX infrastructure, particularly FreePBX, Sangoma PBX, and Elastix systems. The group was first identified in 2020 targeting CVE-2019-19006 in FreePBX/Sangoma PBX environments, and later shifted to Elastix via CVE-2021-45461 in 2022. More recent reporting links the actor to exploitation of CVE-2025-64328 and likely CVE-2025-57819 in FreePBX. Current reporting attributes to INJ3CTOR3 an active mass-exploitation campaign against internet-exposed FreePBX systems. The actor has deployed PHP web shells including EncystPHP and JOMANGY to obtain remote command execution, persistence, and long-term administrative control. Reported post-compromise behavior includes cron-based persistence, shell profile modification, process watchdogs, redundant web shell placement across numerous filesystem paths, creation of hidden or root-equivalent backdoor accounts, SSH key injection, password resets, log tampering, deletion of competing web shells, and harvesting of configuration data such as /etc/freepbx.conf. EncystPHP has been described as masquerading as legitimate FreePBX files such as ajax.php and presenting an operator interface titled "Ask Master." The actor is repeatedly associated with monetization through VoIP toll fraud and unauthorized outbound call activity using victims' SIP trunks and PBX environments. Reporting also notes automated mass exploitation of exposed VoIP servers and removal of rival criminal tooling from compromised hosts. Fortinet and other researchers link these campaigns to INJ3CTOR3 with high confidence. The content does not provide definitive nation-state attribution.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Telecommunication Services
Where they're from
Attributed origin per open-source reporting.
- BR
- NL
Tradecraft
39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Associated vulnerabilities
4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.
Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819. Many systems remain exposed because administrators fail to apply patches promptly.
...INJ3CTOR3, a financially motivated hacker group first identified in 2020 when they targeted CVE-2019-19006 in FreePBX systems.
In 2022, the threat actor evolved their tactics by shifting focus to Elastix systems through the exploitation of CVE-2021-45461.
Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819. Many systems remain exposed because administrators fail to apply patches promptly.
Observables
27 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated exploitation of exposed FreePBX/VoIP servers, using the JOMANGY webshell to enable toll fraud and maintain resilient persistence across compromised systems.
Conducting financially motivated mass exploitation of internet-exposed FreePBX/VoIP systems for toll fraud, using the JOMANGY webshell and highly resilient multi-layer persistence to maintain access.
Linked to exploitation of CVE-2025-64328 against Sangoma FreePBX Endpoint Manager to deploy PHP web shells (including EncystPHP) for persistent remote access and follow-on payload delivery.
Opportunistic, automated mass-exploitation of internet-facing Sangoma FreePBX instances via CVE-2025-64328 to deploy persistent PHP web shells (notably EncystPHP) enabling remote command execution, persistence, and follow-on activity such as outbound call fraud and potential lateral movement/pivoting.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.