INJ3CTOR3 | Threat Actor Profile

A financially motivated threat group believed to operate from the Palestinian Gaza Strip and West Bank, specializing in the systematic exploitation of VoIP and PBX (Private Branch Exchange) infrastructure for toll fraud and unauthorized monetization. First identified in 2020, INJ3CTOR3 targets Sangoma FreePBX and Asterisk VoIP systems used by enterprises worldwide, deploying web shells for persistent access and generating revenue through International Premium Rate Number (IPRN) fraud and the sale of access to compromised phone systems. The group compromised nearly 1,200 organizations in its initial campaign and over 900 FreePBX instances in a December 2025 resurgence.

attributed origin Palestinian Territories (Gaza Strip, West Bank)

organization type Cybercriminal / Telecom Fraud

first observed Early 2020

primary motivation Financial (Toll Fraud / Access Sales)

primary targets VoIP/PBX Infrastructure, Telecommunications, Enterprise Phone Systems

confirmed victims 1,200+ organizations (2020); 900+ FreePBX instances (2025)

mitre att&ck No dedicated MITRE group ID

target regions United States, Germany, France, Brazil, Canada, Global

threat level Medium

Overview

INJ3CTOR3 is a cybercriminal operation focused exclusively on exploiting enterprise Voice over IP (VoIP) and Private Branch Exchange (PBX) infrastructure for financial gain. The group was first identified in 2020 by Check Point Research, which traced exploitation of CVE-2019-19006 in Sangoma FreePBX systems to a Pastebin account belonging to the "INJ3CTOR3" alias. Subsequent investigation revealed a network of private Facebook groups dedicated to sharing SIP server exploitation tools, with administrators and active members primarily located in Gaza, the West Bank, and Egypt.

The group's business model is distinct from typical ransomware or data theft operations. Instead of encrypting files or stealing data for extortion, INJ3CTOR3 monetizes compromised VoIP infrastructure in three primary ways: generating revenue through International Premium Rate Number (IPRN) fraud by routing calls through compromised systems to premium numbers the attackers control, selling phone numbers and call plans from compromised systems to third parties, and selling live access to compromised VoIP services to other criminal actors. According to the Communications Fraud Control Association (CFCA), losses from global telecommunications fraud exceed $28 billion annually, with VoIP PBX hacking ranking among the top five fraud methods.

After its initial campaign targeting nearly 1,200 organizations in 2020, INJ3CTOR3 evolved its tactics in 2022 by shifting focus to Elastix systems via CVE-2021-45461. The group resurfaced with a major campaign in December 2025, exploiting CVE-2025-64328 in FreePBX to deploy the EncystPHP web shell across over 900 instances globally. This persistent pattern of targeting VoIP-specific vulnerabilities across multiple platforms demonstrates a specialized, ongoing operation rather than opportunistic activity.

critical

As of March 2026, over 900 FreePBX instances remain infected with EncystPHP web shells from INJ3CTOR3's December 2025 campaign, according to the Shadowserver Foundation. The largest concentration is in the United States (401 instances), followed by Brazil (51), Canada (43), Germany (40), and France (36). Fortinet FortiGuard Labs attributed the campaign to INJ3CTOR3 exploiting CVE-2025-64328 in the FreePBX Endpoint Manager. Organizations running internet-facing FreePBX should update immediately and perform forensic investigation.

Social Media and Community Ecosystem

INJ3CTOR3 operates within a broader ecosystem of VoIP exploitation communities centered on private Facebook groups. Check Point Research identified the "voip__sip__inje3t0r3_seraj" group as the most active, sharing administrators with multiple related groups dedicated to SIP server exploitation. These groups openly share tools including SIP scanners, authentication bypass scripts, remote code execution payloads, and brute-force utilities. Members also publish instructional guides and videos explaining how to conduct VoIP attacks and monetize compromised systems. The operation's social media presence represents a community-driven fraud ecosystem with established infrastructure for tool sharing, training, and revenue generation.

Target Profile

INJ3CTOR3 exclusively targets VoIP and PBX infrastructure. The group's targeting is driven by the presence of vulnerable, internet-facing VoIP systems rather than specific industries or organizations.

Enterprise VoIP Systems (Asterisk/FreePBX/Sangoma): Asterisk is the world's most popular open-source VoIP phone system, used by Fortune 500 companies and small businesses alike for national and international telecommunications. Sangoma PBX and FreePBX are the primary web-based management interfaces for Asterisk. Any organization running internet-facing FreePBX/Sangoma/Elastix instances is a potential target.
Communications & Telecommunications: Service providers, telecom companies, and managed communications service providers are targeted for the high volume of call traffic available through their infrastructure.
Finance, Banking & Insurance: Financial sector organizations running Asterisk-based PBX systems were among the highest-targeted verticals in the 2020 campaign, with 93 U.S. enterprises affected alongside targets in 15 other countries.
Geographic Distribution: The 2020 campaign targeted organizations in 16+ countries, with the United States as the primary target (93 enterprises), followed by Germany (52), France (27), India (27), Italy (27), Brazil (25), Canada (24), Turkey (21), Australia (15), Russia (13), Switzerland (13), and others. The 2025 campaign shows similar distribution with the U.S. (401 infected instances), Brazil, Canada, Germany, and France leading.

Tactics, Techniques & Procedures

INJ3CTOR3's TTPs are specialized for VoIP infrastructure exploitation. The attack chain follows a consistent pattern: scan for vulnerable SIP/PBX systems, exploit authentication or command injection vulnerabilities, deploy web shells for persistent access, then monetize through toll fraud or access sales.

mitre id	technique	description
T1595.002	Active Scanning: Vulnerability Scanning	Uses SIPVicious, a tool suite for auditing SIP-based VoIP systems. The svmapmodule scans the internet for SIP systems running vulnerable FreePBX/Sangoma/Elastix versions. Demonstrates high degree of automation with mass scanning of internet-facing PBX instances.
T1190	Exploit Public-Facing Application	Exploits authentication bypass and command injection vulnerabilities in internet-facing VoIP management interfaces: CVE-2019-19006 (FreePBX authentication bypass), CVE-2021-45461 (Elastix), and CVE-2025-64328 (FreePBX Endpoint Manager command injection). Targets administrative web interfaces specifically.
T1505.003	Web Shell	Deploys PHP-based web shells for persistent remote access to compromised PBX systems. Early campaigns used simple PHP web shells uploaded via Pastebin-hosted payloads. The 2025 campaign deploys EncystPHP, a more sophisticated web shell providing interactive remote-execution interface under the asterisk service account.
T1110	Brute Force	Custom brute-force scripts (shared via Pastebin and Facebook groups) target SIP authentication credentials. Used to gain access to SIP extensions and administrative interfaces where authentication bypass vulnerabilities are not available.
T1059.004	Unix Shell	EncystPHP web shell enables arbitrary command execution under the asterisk service user on compromised FreePBX systems. Provides full control over PBX functions, file systems, and system configuration. Downloaded via shell scripts from attacker-controlled infrastructure.
T1496	Resource Hijacking	Core monetization technique. Compromised PBX systems are used to generate outbound calls to International Premium Rate Numbers (IPRN) controlled by the attackers. Revenue is generated per minute of call time. Because making calls is a legitimate PBX function, this abuse is difficult to detect through normal monitoring.
T1078	Valid Accounts	After initial compromise, web shells extract the FreePBX system database and passwords for all SIP extensions, granting unrestricted access to the entire phone system and the ability to make calls from any extension.
T1036	Masquerading	In the 2025 campaign, web shells are deployed to directories mimicking legitimate PBX file paths (e.g., /var/www/html/freeppx). Call activity generated by compromised systems appears as legitimate outbound traffic, complicating detection.

Known Campaigns

Confirmed campaigns attributed to INJ3CTOR3 spanning its operational history.

Sangoma FreePBX Mass Exploitation (CVE-2019-19006) 2020

Check Point Research identified systematic exploitation of CVE-2019-19006, an authentication bypass vulnerability in Sangoma FreePBX, targeting corporate VoIP phone systems at nearly 1,200 organizations across 16+ countries over 12 months. Attackers used SIPVicious for scanning, deployed PHP web shells for persistence, and monetized access through IPRN fraud and direct sales of compromised phone system access. The group left calling cards using the "inje3t0r3-seraj" alias in exploitation traffic. Investigation traced operators to private Facebook groups in Gaza, the West Bank, and Egypt.

Elastix System Targeting (CVE-2021-45461) 2022

INJ3CTOR3 evolved its targeting by shifting to Elastix VoIP systems, exploiting CVE-2021-45461 for initial access. This represented a tactical pivot to a different VoIP platform while maintaining the same operational model of web shell deployment and toll fraud monetization. The shift demonstrated the group's ongoing reconnaissance of VoIP-specific vulnerabilities across multiple platforms.

EncystPHP Web Shell Campaign (CVE-2025-64328) DEC 2025 – PRESENT

Fortinet FortiGuard Labs attributed a new campaign to INJ3CTOR3 beginning in early December 2025, exploiting CVE-2025-64328, a post-authentication command injection vulnerability in FreePBX's Endpoint Manager module. The group deployed EncystPHP, a sophisticated PHP web shell providing interactive remote-execution capabilities under the asterisk service account. Shadowserver Foundation confirmed over 900 FreePBX instances remain infected as of early 2026, with the highest concentration in the United States (401), Brazil (51), Canada (43), Germany (40), and France (36). The campaign demonstrates a high degree of automation with mass scanning and exploitation of internet-facing FreePBX instances.

Tools & Malware

INJ3CTOR3's toolkit is purpose-built for VoIP infrastructure exploitation, combining open-source auditing tools with custom web shells and exploitation scripts.

SIPVicious: Open-source tool suite for auditing SIP-based VoIP systems. INJ3CTOR3 uses the svmapmodule to scan the internet for SIP systems running vulnerable FreePBX versions. Provides SIP endpoint discovery, extension enumeration, and authentication testing.
EncystPHP: Custom PHP-based web shell deployed in the December 2025 campaign. Provides an interactive remote-execution interface operating under the asterisk service account. Enables arbitrary command execution, file system access, PBX function manipulation, and initiation of outbound call activity through the compromised PBX environment. Identified by Fortinet FortiGuard Labs.
PHP Web Shells (2020 Campaign): Earlier web shells hosted on and downloaded from Pastebin. Provided FreePBX database extraction, SIP extension password harvesting, and call-generation capabilities. A secondary web panel variant allowed attackers to place calls directly through a web interface.
Custom Brute-Force Scripts: SIP authentication brute-force tools shared via Pastebin and private Facebook groups. Variants observed in both the INJ3CTOR3 Pastebin account and associated community tool-sharing channels.
CVE-2019-19006 Exploit Script: Custom exploitation script that bypasses FreePBX authentication by sending the password parameter as an array element, causing the authentication function to fail before the session is invalidated. Combined with initial web shell upload in a single automated payload.
IPRN Monetization Infrastructure: International Premium Rate Number services registered to numbers controlled by the attackers. When compromised PBX systems route calls to these numbers, revenue is generated per minute of call time. The group appears to use dedicated IPRN providers with rate tables varying by caller origin country.

Indicators of Compromise

Publicly available IOCs from Check Point Research, Fortinet FortiGuard Labs, and The Shadowserver Foundation.

warning

Because INJ3CTOR3 targets a specific class of infrastructure (VoIP/PBX systems), its IOCs are most relevant to organizations running internet-facing FreePBX, Sangoma, Elastix, or Asterisk deployments. The Shadowserver Foundation is actively notifying operators of infected FreePBX instances; organizations should check their systems and apply patches immediately.

known cves exploited

cve CVE-2019-19006 — Sangoma FreePBX Admin Authentication Bypass (CVSS 9.8)

cve CVE-2021-45461 — Elastix VoIP Platform Exploitation

cve CVE-2025-64328 — FreePBX Endpoint Manager Post-Authentication Command Injection (CVSS 8.6)

behavioral indicators

web shell EncystPHP — PHP web shell operating under asterisk service account; provides interactive command execution

file path /var/www/html/freeppx/ — Directory created by attackers to stage web shells and exploitation tools

file indicator rr.php, yokyok — Filenames and strings observed in initial web shell deployments (2020 campaign)

network SIPVicious svmap scanning activity targeting SIP endpoints on UDP/5060 and TCP/5060

billing Unexpected outbound calls to premium-rate numbers, particularly to destinations with high IPRN rates; anomalous call volume spikes

attribution "inje3t0r3-seraj" and "injctor-seraj-rean" strings in exploitation traffic and web shell code comments

Mitigation & Defense

Recommended defensive measures for organizations operating VoIP and PBX infrastructure.

Patch FreePBX, Sangoma, and Elastix immediately: Apply all available patches for CVE-2025-64328, CVE-2021-45461, and CVE-2019-19006. The December 2025 campaign targets unpatched, internet-facing FreePBX instances. Update to the latest supported version of all VoIP platform components.
Remove PBX management interfaces from the public internet: INJ3CTOR3's attack model depends on scanning for internet-exposed PBX administrative panels. Place all PBX management interfaces behind VPNs, firewalls, or zero-trust access controls. If internet exposure is required, implement IP allowlisting and strong authentication.
Scan for existing web shell infections: The Shadowserver Foundation has confirmed over 900 FreePBX instances remain infected. Scan web-accessible directories (particularly /var/www/html/) for PHP web shells, including EncystPHP and any files containing the strings "rr.php" or "yokyok." Check for unauthorized files in the FreePBX administrative directory structure.
Monitor call billing and traffic patterns: INJ3CTOR3 monetizes through IPRN fraud, which generates anomalous outbound call activity. Regularly analyze call detail records (CDRs) for unexpected destinations, premium-rate number calls, unusual call volumes, and calls occurring outside business hours. Set rate limits on outbound calls and alert on threshold violations.
Restrict SIP extension access: After compromising a system, INJ3CTOR3 extracts credentials for all SIP extensions. Enforce strong passwords on all SIP accounts, restrict outbound call destinations where possible, and disable unused extensions. Monitor for unauthorized SIP registrations from unknown IP addresses.
Implement intrusion detection for SIP scanning: SIPVicious scanning produces distinctive network signatures. Monitor for svmap probes on UDP/TCP port 5060 and implement SIP-aware intrusion detection rules. Consider deploying SIP-specific firewalls or session border controllers (SBCs) to filter unauthorized SIP traffic.
Audit FreePBX administrative accounts: Review administrative accounts for unauthorized entries. CVE-2019-19006 allows attackers to hijack existing admin sessions; CVE-2025-64328 allows authenticated command injection. Enable logging for all administrative actions and monitor for anomalous access patterns.
Segment VoIP infrastructure from general IT networks: Isolate VoIP systems on dedicated network segments with restricted access. Prevent lateral movement from compromised PBX systems to other corporate infrastructure. Monitor outbound connections from PBX servers for unexpected traffic.

note

INJ3CTOR3 represents a specialized but often overlooked threat category: telecommunications infrastructure fraud. While the group lacks the technical sophistication of nation-state actors or major ransomware operations, its impact is significant. Global telecom fraud losses exceed $28 billion annually, and PBX hacking is consistently ranked among the top five fraud methods. Organizations that have invested heavily in ransomware defenses may have blind spots in their VoIP infrastructure security. The group's community-driven model, with open sharing of tools and techniques via social media, means that the expertise to conduct these attacks is widely distributed and difficult to contain through law enforcement action alone.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile