A pro-Ukrainian hacktivist group, known as PhantomCore, has been implicated in cyberattacks targeting Russian servers using TrueConf video conferencing software since September 2025. According to a report from Positive Technologies, PhantomCore has been exploiting a chain of three vulnerabilities to execute remote commands on vulnerable systems.
Exploitation of TrueConf Vulnerabilities
PhantomCore, also referred to as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, has been active since 2022 following the Russo-Ukrainian conflict. The group has been using unpublicized exploits to breach Russian organizations, resulting in data theft and network disruptions, including deploying ransomware based on Babuk and LockBit source codes.
The vulnerabilities in TrueConf Server exploited include BDU:2025-10114, which allows unauthorized access to administrative endpoints, BDU:2025-10115 for reading arbitrary files, and BDU-2025-10116, a command injection flaw. Despite TrueConf releasing patches on August 27, 2025, attacks were first detected in mid-September 2025.
Impact and Tools Used by PhantomCore
Through exploiting these vulnerabilities, attackers have bypassed authentication to access networks, using the compromised TrueConf Server as a launch point for further infiltration. They deployed malicious payloads for reconnaissance, evasion, and credential harvesting, and established communication channels with tunneling utilities.
Some attacks involved deploying a PHP-based web shell to upload files and execute remote commands. Other tools used include PhantomPxPigeon, PhantomSscp, MacTunnelRat, and PhantomProxyLite for reverse SSH tunnels, ADRecon for reconnaissance, and Veeam-Get-Creds for password recovery.
Broader Cyber Threat Landscape
PhantomCore’s activities are part of a wider pattern of cyber threats targeting Russian entities, with groups like CapFIX also conducting phishing campaigns. CapFIX, focusing on financial gains, has used phishing to deploy malware like CapDoor, capable of executing commands and installing files from remote servers.
Other threat actors such as Geo Likho, Mythic Likho, and various ‘Werewolf’ groups have targeted sectors like aviation, using techniques like phishing and deploying diverse malware for espionage and disruption. Despite utilizing similar methods, these groups operate independently, without direct coordination.
In conclusion, PhantomCore represents a significant cyber threat in the region, with its capability to exploit vulnerabilities and deploy sophisticated attacks posing ongoing challenges for cybersecurity defenses in Russia. The group’s persistent efforts to identify and leverage software weaknesses underscore the importance of timely security updates and robust protective measures.
