PhantomCore Exploits TrueConf Vulnerabilities in Targeted Russian Cyberattacks
Since September 2025, the pro-Ukrainian hacktivist group PhantomCore (also known as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901) has been actively targeting Russian organizations by exploiting critical vulnerabilities in TrueConf video conferencing software. According to a report by Positive Technologies, the group leveraged a chain of three unpatched flaws to execute remote commands on vulnerable servers, despite no public exploits being available at the time.
PhantomCore, active since 2022, is a politically and financially motivated threat actor known for data theft, network disruption, and ransomware deployment including variants based on leaked Babuk and LockBit source code. The group operates with high stealth, remaining undetected in victim networks for extended periods while continuously refining its offensive tools.
Exploited Vulnerabilities
The attacks targeted three TrueConf Server vulnerabilities, all patched by the vendor on August 27, 2025, but first exploited in mid-September:
- BDU:2025-10114 (CVSS 7.5) – Insufficient access control allowing unauthenticated requests to administrative endpoints.
- BDU:2025-10115 (CVSS 7.5) – Arbitrary file read vulnerability.
- BDU-2025-10116 (CVSS 9.8) – Command injection flaw enabling arbitrary OS command execution.
Successful exploitation allowed attackers to bypass authentication, gain network access, and use compromised TrueConf servers as entry points for lateral movement. Positive Technologies observed the group deploying:
- A PHP-based web shell for file uploads and remote command execution.
- PhantomPxPigeon, a malicious TrueConf client with reverse shell capabilities.
- PhantomSscp, MacTunnelRat, and PhantomProxyLite for establishing persistent footholds via reverse SSH tunnels.
- ADRecon for reconnaissance and Veeam-Get-Creds for credential harvesting.
- DumpIt and MemProcFS for extracting sensitive data.
- WinRM, RDP, and Velociraptor for lateral movement and remote access.
- SOCKS proxies (microsocks, rsocx, tsocks) to control compromised hosts.
In some cases, attackers created a rogue admin account (TrueConf2) on breached servers.
Broader Tactics and Recent Activity
PhantomCore has also used phishing lures including malicious ZIP/RAR archives to distribute backdoors capable of remote command execution and payload delivery. Recent campaigns in January–February 2026 targeted Russian organizations with these methods.
The group’s arsenal includes both publicly available tools (e.g., Velociraptor, MemProcFS) and custom malware (e.g., MacTunnelRAT, PhantomProxyLite). PhantomCore actively researches vulnerabilities in domestic Russian software to maximize infiltration across government and private-sector entities.
Other Threat Groups Targeting Russia
PhantomCore is part of a growing wave of cyber threats against Russian infrastructure, including:
- CapFIX – A financially motivated group using ClickFix social engineering to deploy CapDoor (a backdoor for PowerShell/DLL execution) and off-the-shelf malware like AsyncRAT and SectopRAT. Recent campaigns masquerade as official government communications.
- Geo Likho – Focused on aviation and shipping sectors in Russia and Belarus since July 2024, delivering info-stealing malware. Accidental infections have been detected in Germany, Serbia, and Hong Kong.
- Mythic Likho – Uses phishing to deliver loaders (HuLoader, Merlin, ReflectPulse) leading to Loki, a Mythic-compatible backdoor. Linked to ExCobalt due to shared use of the Megatsune rootkit.
- Paper Werewolf (GOFFEE) – Distributes EchoGather trojan via Telegram under the guise of Starlink tools, alongside phishing pages for Telegram credential theft.
- Versatile Werewolf (HeartlessSoul) – Uses fake Star Debug and drone simulator websites to deploy Sliver and SoullessRAT, a trojan with command execution and screenshot capabilities.
- Eagle Werewolf – A newly identified group compromising drone-related Telegram channels to distribute AquilaRAT, a Rust-based trojan for file operations and command execution.
Despite overlapping goals and techniques, these groups operate independently with no evidence of direct coordination. Some, like Paper Werewolf, hijack Telegram accounts for future attacks, while Versatile Werewolf leverages generative AI to accelerate tool development.
Source: https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html
TrueConf cybersecurity rating report: https://www.rankiteo.com/company/trueconf
"id": "TRU1777295519",
"linkid": "trueconf",
"type": "Vulnerability",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Video Conferencing', 'Technology'],
'location': 'Russia',
'type': ['Government', 'Private Sector']}],
'attack_vector': 'Exploitation of unpatched vulnerabilities in TrueConf '
'Server',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Sensitive organizational data']},
'date_detected': '2025-09-01',
'date_publicly_disclosed': '2025-08-27',
'description': 'Since September 2025, the pro-Ukrainian hacktivist group '
'PhantomCore has been targeting Russian organizations by '
'exploiting critical vulnerabilities in TrueConf video '
'conferencing software. The group leveraged a chain of three '
'unpatched flaws to execute remote commands on vulnerable '
'servers, deploying web shells, custom malware, and tools for '
'lateral movement and data exfiltration.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Network disruption, unauthorized access, '
'lateral movement',
'systems_affected': ['TrueConf video conferencing servers',
'Network infrastructure']},
'initial_access_broker': {'backdoors_established': ['PhantomPxPigeon',
'PhantomSscp',
'MacTunnelRat',
'PhantomProxyLite'],
'entry_point': 'Exploited TrueConf Server '
'vulnerabilities'},
'investigation_status': 'Ongoing',
'motivation': ['Political', 'Financial'],
'post_incident_analysis': {'corrective_actions': ['Apply vendor patches',
'Implement network '
'segmentation',
'Enhance monitoring for '
'custom malware'],
'root_causes': 'Unpatched vulnerabilities in '
'TrueConf Server'},
'ransomware': {'data_exfiltration': True,
'ransomware_strain': ['Babuk-based', 'LockBit-based']},
'recommendations': ['Patch TrueConf Server vulnerabilities immediately',
'Monitor for unauthorized access and lateral movement',
'Deploy enhanced detection for custom malware and web '
'shells'],
'references': [{'source': 'Positive Technologies'}],
'response': {'third_party_assistance': 'Positive Technologies'},
'threat_actor': 'PhantomCore (aka Fairy Trickster, Head Mare, Rainbow Hyena, '
'UNG0901)',
'title': 'PhantomCore Exploits TrueConf Vulnerabilities in Targeted Russian '
'Cyberattacks',
'type': ['Cyber Espionage', 'Ransomware', 'Data Theft'],
'vulnerability_exploited': ['BDU:2025-10114 (CVSS 7.5) - Insufficient access '
'control',
'BDU:2025-10115 (CVSS 7.5) - Arbitrary file read',
'BDU-2025-10116 (CVSS 9.8) - Command injection']}