Breakglass Intelligence reported a financially motivated campaign targeting internet-exposed FreePBX, Elastix, Issabel, and related Asterisk-based VoIP systems with malware disguised as k.php. The malware exploits the FreePBX restapps REST API for remote code execution, deploys the VictamPbx PHP webshell across multiple PBX web paths, steals administrator credentials, hijacks admin sessions, and enables outbound call origination to abuse victim SIP trunks for International Revenue Share Fraud (IRSF). Researchers observed at least 17 closely related variants and linked repeated payload delivery to infrastructure centered on 45.234.176.202 in Salvador, Bahia, Brazil, alongside branding and backend services associated with VictamPbx, emoadmin, emo, and Raza Telefonia.
The newest variant expanded beyond fraud enablement by aggressively securing exclusive access to compromised systems. Its Stage 2 payload established persistence through root-level accounts, SSH keys, cron jobs, and boot/login mechanisms, while also disabling the endpoint module, scrubbing Apache logs, timestomping files, and removing implants, accounts, cron entries, and webshells tied to at least seven rival VoIP threat actors, including Juba VoIP, Nahda, Badr/b3d0r, nvd0rz, tchTowr, and yokyok. Breakglass assessed the activity as a Brazilian or Brazilian-affiliated operation that has likely been active since at least 2023, with the latest samples showing a territorial fight among criminal groups for exclusive control of vulnerable PBX infrastructure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Cyble Research & Intelligence Labs reported a FreePBX and VoIP exploitation campaign attributed to INJ3CTOR3 that deploys a newly identified PHP webshell called JOMANGY for VoIP toll fraud. The report described double-layer obfuscation, resilient multi-channel persistence, immutable file protections, removal of rival implants, and possible botnet infrastructure migration from Brazilian to Dutch networks.
On 2026-03-15, Breakglass Intelligence published a report characterizing the activity as a turf war among multiple criminal groups competing for exclusive control of vulnerable internet-exposed FreePBX, Elastix, Issabel, and Sangoma systems.
During the March 14-15, 2026 activity, the newest observed variant not only established persistence and backdoors but also systematically removed implants, accounts, cron jobs, and webshells associated with at least seven competing threat actors, showing territorial competition over compromised PBX systems.
On 2026-03-14 and 2026-03-15, GHOST honeypots observed 17 closely related FreePBX malware variants named k.php targeting VoIP systems for International Revenue Share Fraud via the VictamPbx webshell.
Breakglass Intelligence published an analysis of the VictamPbx operation on 2026-03-14, describing a Brazilian or Brazilian-affiliated VoIP toll-fraud campaign targeting FreePBX and Elastix systems and linking it to razatelefonia.pro-related infrastructure.
On 2026-03-14, four closely related k.php samples were submitted that deployed the VictamPbx webshell on PBX systems, stole administrator credentials, hijacked admin sessions, and established cron-based persistence for toll fraud. The malware repeatedly fetched payloads from infrastructure at 45.234.176.202 in Salvador, Bahia, Brazil.
A related sibling malware sample tied to the VictamPbx toll-fraud activity was first seen in late January 2026, indicating the campaign was active before the March cluster of submissions.
On 2026-01-28, FortiGuard Labs published research on a campaign exploiting FreePBX Endpoint Manager flaw CVE-2025-64328 to deploy the EncystPHP web shell for remote command execution, persistence, SSH backdoor access, and telephony abuse. The report linked the activity to infrastructure including 45.234.176.202 and crm.razatelefonia.pro, assessed it as consistent with INJ3CTOR3, and noted incidents dating back to early December.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourcefortinet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.