PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks
Pro-Ukrainian hacktivist group PhantomCore exploited three TrueConf Server vulnerabilities to breach Russian networks since September 2025, using a chain of authentication bypass, arbitrary file read, and command injection flaws.
A pro-Ukrainian hacktivist group called PhantomCore has been actively exploiting three vulnerabilities in TrueConf Server software to breach Russian organizations since September 2025, according to a report from Positive Technologies. The group, also known as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, has been active since 2022 and is politically and financially motivated, known for stealing sensitive data and deploying ransomware based on leaked Babuk and LockBit source code.
The exploit chain targets three specific vulnerabilities: BDU:2025-10114 (CVSS 7.5), an insufficient access control flaw allowing unauthenticated requests to administrative endpoints; BDU:2025-10115 (CVSS 7.5), enabling arbitrary file read; and BDU:2025-10116 (CVSS 9.8), a command injection vulnerability that allows remote code execution. Together, these flaws permit an attacker to bypass authentication and gain full access to the organization's network. TrueConf released patches on August 27, 2025, but attacks began around mid-September, indicating that PhantomCore developed exploits before patches were widely deployed.
Once inside, PhantomCore uses the compromised TrueConf server as a springboard for lateral movement across the internal network. Attackers deploy a PHP-based web shell capable of uploading files and executing commands, along with a PHP proxy server to disguise malicious traffic as legitimate. They also install a malicious TrueConf client called PhantomPxPigeon, which implements a reverse shell to receive commands, execute payloads, and proxy traffic through the web shell.
Additional tools include tunneling utilities like PhantomSscp, MacTunnelRat, and PhantomProxyLite for establishing reverse SSH tunnels; reconnaissance tools like ADRecon; credential harvesters such as Veeam-Get-Creds (targeting Veeam Backup & Replication), DumpIt, and MemProcFS; and remote access tools like Velociraptor. Lateral movement is achieved via WinRM and RDP. In some cases, attackers create a rogue user named "TrueConf2" with administrative privileges on the video conferencing server.
PhantomCore's operations extend beyond TrueConf exploitation. The group also uses phishing lures, distributing backdoors via ZIP or RAR archives as recently as January and February 2026. These campaigns target government and private organizations across various industries in Russia. Positive Technologies notes that the group actively searches for vulnerabilities in domestic software and develops exploits, enabling large-scale infiltration.
The report highlights PhantomCore as one of the most active threat groups in the Russian threat landscape, with a blend of publicly available and proprietary tools. The group's ability to remain stealthy for extended periods, combined with continuous tool evolution, poses a significant risk to Russian organizations. The TrueConf campaign underscores the importance of timely patching and the threat posed by politically motivated hacktivists targeting critical infrastructure.