The hum of servers in a darkened data center, a phantom whisper of compromised credentials.
This is the reality for numerous Russian organizations since September 2025, thanks to the sustained efforts of a pro-Ukrainian hacktivist group dubbed PhantomCore. Positive Technologies has painstakingly detailed how this group, also known by a constellation of aliases like Fairy Trickster and Head Mare, has been relentlessly targeting servers running TrueConf video conferencing software. What’s particularly striking isn’t just the targets, but the technical finesse: they’re employing an exploit chain comprising three distinct vulnerabilities to achieve remote command execution on susceptible systems.
And it’s not just casual snooping. This isn’t some script kiddie’s playground. “Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations,” researchers Daniil Grigoryan and Georgy Khandozhko stated. This indicates a dedicated research and development effort, a commitment to finding and weaponizing zero-days—or at least, previously undisclosed vulnerability chains—before the broader security community even catches wind.
PhantomCore isn’t new to the game. Active since 2022, their motivations appear dual-pronged: political, undeniably, given the context of the Russo-Ukrainian war, but also financial. Their modus operandi typically involves pilfering sensitive data and disrupting network operations. In some cases, they’ve even dabbled in ransomware, leveraging leaked source code from infamous groups like Babuk and LockBit. Positive Technologies noted back in September 2025 that the group “runs large-scale operations while maintaining strong stealth – remaining invisible in victim networks for extended periods – enabled by continual updates and evolution of in-house offensive tools.” This stealth and adaptability is, frankly, terrifying from a defensive perspective.
The Technical Knockout: TrueConf Vulnerabilities Unpacked
The specific vulnerabilities exploited by PhantomCore, as detailed by Positive Technologies, paint a clear picture of how these intrusions are facilitated:
- BDU:2025-10114 (CVSS score: 7.5): This is an insufficient access control flaw. In plain English, it allows an attacker to bypass authentication and ping administrative endpoints—anything under
/admin/*—with zero verification. Imagine walking right through the front door of a secure facility without showing an ID. - BDU:2025-10115 (CVSS score: 7.5): Following that initial breach, this vulnerability gives attackers the ability to read any file on the system. Sensitive configuration files, user data, intellectual property—all laid bare.
- BDU:2025-10116 (CVSS score: 9.8): This is the big one. A command injection vulnerability, boasting a critical CVSS score of 9.8. It allows an attacker to inject and execute arbitrary operating system commands. This is where they pivot from reconnaissance to full control.
When chained together, these three vulnerabilities grant attackers a golden ticket. They can bypass authentication, gain unauthorized access, and then issue commands directly to the compromised server. While TrueConf did release security patches on August 27, 2025, the first observed attacks began around mid-September 2025. This three-week window is often all sophisticated actors need to establish a foothold.
From Video Conferencing to Network Springboard
Once inside a compromised TrueConf Server, PhantomCore doesn’t just sit back and admire their handiwork. They use the server as a launchpad. The report details how they move laterally across the internal network, dropping malicious payloads designed for reconnaissance, evasion, and credential harvesting. They also establish persistent communication channels, often using tunneling utilities to mask their traffic.
A common tactic observed is the deployment of a PHP-based web shell. This malicious script allows them to upload files to the infected host and execute remote commands. Additionally, a companion PHP file acts as a proxy server, making their subsequent malicious requests appear as if they’re originating from a legitimate server on the network. It’s a clever bit of misdirection that can significantly prolong their presence undetected.
PhantomCore’s toolkit is a mix of proprietary and publicly available instruments. They’ve been observed deploying a custom malicious TrueConf video conferencing client, PhantomPxPigeon, which implements a reverse shell. This allows it to connect back to a remote server, receive tasks, execute commands, and proxy traffic through their web shell. Other tools for establishing persistence include PhantomSscp (DLL), MacTunnelRat (PowerShell), and PhantomProxyLite (PowerShell) for creating reverse SSH tunnels. For reconnaissance, they utilize ADRecon, and for credential harvesting, tools like Veeam-Get-Creds (a modified script targeting Veeam backups) and DumpIt and MemProcFS are employed. Lateral movement is facilitated through standard protocols like Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP), while Velociraptor is used for broader remote access. For command and control, they use microsocks, rsocx, and tsocks to manage compromised hosts via SOCKS proxies.
In some intrusions, the attackers went as far as creating a rogue administrative user named “TrueConf2” on the compromised server, granting themselves elevated privileges. It’s a level of system manipulation that underscores their intent to embed themselves deeply within target environments.
Phishing: The Persistent Entry Vector
While the TrueConf exploit chain is a significant vector, PhantomCore hasn’t abandoned more traditional methods. As recently as January and February 2026, they’ve been observed using phishing lures to gain initial access to Russian organizations. These attacks typically involve crafted ZIP or RAR archives, designed to distribute a backdoor capable of executing remote commands and serving arbitrary payloads. It’s a hybrid approach, leveraging both sophisticated zero-day exploitation and well-worn social engineering tactics.
A Calculated Threat Landscape
“The PhantomCore group is one of the most active groups in the Russian threat landscape,” the Positive Technologies researchers concluded. “Its arsenal includes both publicly available tools (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary tools (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets government and private organizations across a wide range of industries.” This isn’t a fringe group; they are a significant player actively shaping the Russian cyber threat landscape.
And their strategic focus is clear: “PhantomCore actively searches for vulnerabilities in domestic software, develops exploits, and thereby gains the ability to infiltrate a large number of Russian companies.” This highlights a crucial, and frankly alarming, trend: the deliberate targeting of local software ecosystems to achieve national-level cyber objectives. It’s a calculated strategy that, if left unchecked, could have far-reaching implications for network security within Russia and potentially beyond its borders.
Is TrueConf a Systemic Risk?
The exploitation of TrueConf software by PhantomCore raises significant questions about the security posture of domestic Russian software solutions. While TrueConf did release patches, the fact that these vulnerabilities were not only discovered but actively exploited by a sophisticated group before widespread patching is a critical concern for any organization relying on such software. It underscores a broader market dynamic: the race between vulnerability discovery and patch deployment is an eternal, often uneven, struggle. The rapid evolution of attack techniques means that even patched systems can become vulnerable again through novel exploit chains or the discovery of entirely new flaws. This incident serves as a potent reminder that the security of any single piece of software is only as strong as the weakest link in its development lifecycle and the diligence of its user base in applying updates.
What Does This Mean for Critical Infrastructure?
For organizations operating critical infrastructure within Russia, this incident isn’t just another headline; it’s a flashing red alert. TrueConf, like many enterprise communication platforms, often handles sensitive internal communications. A compromise here can be a direct gateway to operational technology (OT) networks or other critical systems if proper segmentation and network access controls aren’t rigorously enforced. The ability of PhantomCore to establish persistence and move laterally after breaching the TrueConf server suggests that many organizations may have insufficient defenses against such advanced persistent threats (APTs). The deployment of custom malware, the creation of rogue administrative accounts, and the use of sophisticated tunneling techniques all point to actors capable of operating undetected for extended periods. This highlights the urgent need for enhanced threat hunting capabilities, strong incident response plans, and a proactive security posture that assumes breach rather than solely focusing on prevention.
