Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
🇧🇷 🇳🇱 BR4 malware familiesExploits CVEs in the wild

INJ3CTOR3

Also known asINJ3CTOR3

INJ3CTOR3 is a financially motivated threat actor focused on VoIP and PBX infrastructure, particularly FreePBX, Sangoma PBX, and Elastix systems. The group was first identified in 2020 targeting CVE-2019-19006 in FreePBX/Sangoma PBX environments, and later shifted to Elastix via CVE-2021-45461 in 2022. More recent reporting links the actor to exploitation of CVE-2025-64328 and likely CVE-2025-57819 in FreePBX. Current reporting attributes to INJ3CTOR3 an active mass-exploitation campaign against internet-exposed FreePBX systems. The actor has deployed PHP web shells including EncystPHP and JOMANGY to obtain remote command execution, persistence, and long-term administrative control. Reported post-compromise behavior includes cron-based persistence, shell profile modification, process watchdogs, redundant web shell placement across numerous filesystem paths, creation of hidden or root-equivalent backdoor accounts, SSH key injection, password resets, log tampering, deletion of competing web shells, and harvesting of configuration data such as /etc/freepbx.conf. EncystPHP has been described as masquerading as legitimate FreePBX files such as ajax.php and presenting an operator interface titled "Ask Master." The actor is repeatedly associated with monetization through VoIP toll fraud and unauthorized outbound call activity using victims' SIP trunks and PBX environments. Reporting also notes automated mass exploitation of exposed VoIP servers and removal of rival criminal tooling from compromised hosts. Fortinet and other researchers link these campaigns to INJ3CTOR3 with high confidence. The content does not provide definitive nation-state attribution.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Telecommunication Services

Where they're from

Attributed origin per open-source reporting.

  • BR
  • NL
MITRE ATT&CK

Tradecraft

39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics51 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190×8
Exploit Public-Facing Application
TA0002
Execution
3 techniques
T1053
Scheduled Task/Job
T1053.003×6
Cron
T1059×3
Command and Scripting Interpreter
T1059.004×4
Unix Shell
T1059.006
Python
T1203
Exploitation for Client Execution
TA0003
Persistence
6 techniques
T1037
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1053
Scheduled Task/Job
T1053.003×6
Cron
T1098
Account Manipulation
T1098.004×2
SSH Authorized Keys
T1136×3
Create Account
T1136.001×2
Local Account
T1505
Server Software Component
T1505.003×8
Web Shell
T1556
Modify Authentication Process
TA0004
Privilege Escalation
4 techniques
T1037
Boot or Logon Initialization Scripts
T1037.004
RC Scripts
T1053
Scheduled Task/Job
T1053.003×6
Cron
T1068
Exploitation for Privilege Escalation
T1098
Account Manipulation
T1098.004×2
SSH Authorized Keys
TA0005
Stealth
4 techniques
T1027×4
Obfuscated Files or Information
T1036
Masquerading
T1036.005
Match Legitimate Resource Name or Location
T1070×2
Indicator Removal
T1070.002
Clear Linux or Mac System Logs
T1070.004×2
File Deletion
T1070.006
Timestomp
T1564
Hide Artifacts
T1564.001
Hidden Files and Directories
TA0112
Defense Impairment
2 techniques
T1222×2
File and Directory Permissions Modification
T1222.002×3
Linux and Mac Permissions
T1556
Modify Authentication Process
TA0006
Credential Access
4 techniques
T1003
OS Credential Dumping
T1110
Brute Force
T1552
Unsecured Credentials
T1552.001×2
Credentials In Files
T1556
Modify Authentication Process
TA0007
Discovery
3 techniques
T1046
Network Service Discovery
T1057×2
Process Discovery
T1083×2
File and Directory Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.004×3
SSH
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001×2
Web Protocols
T1105×5
Ingress Tool Transfer
TA0040
Impact
1 technique
T1496
Resource Hijacking
IOCS

Observables

27 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping39

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables27

Domains, IPs, and hashes tied to this actor, refreshed continuously.