VictamPbx is a criminal threat actor or operator branding associated with a FreePBX malware and webshell campaign targeting internet-exposed VoIP platforms including FreePBX, Elastix, Issabel, and Sangoma systems for toll fraud and likely International Revenue Share Fraud. Breakglass Intelligence observed 17 closely related k.php malware variants on March 14-15, 2026, with each variant deploying the VictamPbx PHP webshell. The operation exploited the FreePBX restapps REST API for remote code execution on unpatched systems, deployed webshells across multiple web-accessible paths, timestomped files, scrubbed Apache logs, and established layered persistence via webshells, cron jobs, boot and login execution, SSH authorized keys, and multiple root-level OS accounts. The VictamPbx webshell used MD5-based authentication and supported command execution, Elastix credential theft from the SQLite ACL database, FreePBX admin session hijacking, and Asterisk call origination for fraudulent calls. A newer Stage 2 payload systematically removed implants, accounts, cron jobs, and webshells associated with at least seven competing threat actors before installing its own persistence, including artifacts linked to Juba VoIP, Nahda, Badr or b3d0r, nvd0rz, tchTowr, and yokyok. The malware also disabled the FreePBX endpoint manager module and created a FreePBX admin backdoor account named emoadmin. Infrastructure tied to the activity centered on 45.234.176.202, 45.234.176.67, and 45.234.176.204 in AS267369 in Salvador, Bahia, Brazil; 45.234.176.202 served payloads and panel resources, while 45.234.176.204 functioned as a SIP gateway where stolen call routes terminated. Operator branding and related aliases mentioned in the reporting include VictamPbx, emoadmin, emo, Raza Telefonia, and depp.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Attributed origin per open-source reporting.
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.