A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers.
"Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said.
PhantomCore, also called Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the name assigned to a politically- and financially-motivated hacking crew that has been active since 2022 following the Russo-Ukrainian war. Attacks mounted by the group are known to steal sensitive data and disrupt target networks, in some cases even deploying ransomware based on the leaked source code of Babuk and LockBit.
"The group runs large-scale operations while maintaining strong stealth -- remaining invisible in victim networks for extended periods -- enabled by continual updates and evolution of in-house offensive tools," the company noted back in September 2025.
List of TrueConf Server Vulnerabilities Exploited
- BDU:2025-10114 (CVSS score: 7.5) - An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication.
- BDU:2025-10115 (CVSS score: 7.5) - A vulnerability that could allow an attacker to read arbitrary files on the system.
- BDU-2025-10116 (CVSS score: 9.8) - A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.
Successful exploitation of the three vulnerabilities could permit an attacker to bypass authentication and gain access to the organization's network. Although security patches to address the issues were released by TrueConf on August 27, 2025, the first attacks aimed at TrueConf servers were detected around mid-September 2025, per Positive Technologies.
In the attacks observed by the Russian security vendor, the compromise of the TrueConf Server enabled the threat actors to use it as a springboard to move laterally across the internal network and drop malicious payloads to facilitate reconnaissance, defense evasion, and credential harvesting, as well as set up communication channels using tunneling utilities.
At least one such successful compromise is said to have led to the deployment of a PHP-based web shell that's capable of uploading files to the infected host and executing remote commands, along with a PHP file that functions as a proxy server to disguise malicious requests as coming from a legitimate server.
Additional Tools Used in the Attacks
- PhantomPxPigeon, a malicious TrueConf video conferencing client that implements a reverse shell to connect to a remote server and receive tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell.
- PhantomSscp (DLL), MacTunnelRat (PowerShell), PhantomProxyLite (PowerShell), for establishing a foothold in a breached environment via a reverse SSH tunnel.
- ADRecon, for reconnaissance.
- Veeam-Get-Creds, a modified version of the PowerShell script to recover passwords related to the Veeam Backup & Replication software.
- DumpIt and MemProcFS, for credential harvesting.
- Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP), for lateral movement within the network perimeter.
- Velociraptor, for remote access.
- microsocks, rsocx, and tsocks, for controlling compromised hosts from attacker-controlled infrastructure using a SOCKS proxy.
Select intrusions have utilized a DLL to create a rogue user named "TrueConf2" with administrative privileges on a compromised video conferencing server.
PhantomCore's attack chains have also been found to use phishing lures for initial access to Russian organizations as recently as January and February 2026, using crafted ZIP or RAR archives to distribute a backdoor that can run remote commands on the host and serve arbitrary payloads.
"The PhantomCore group is one of the most active groups in the Russian threat landscape. Its arsenal includes both publicly available tools (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary tools (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets government and private organizations across a wide range of industries. PhantomCore actively searches for vulnerabilities in domestic software, develops exploits, and thereby gains the ability to infiltrate a large number of Russian companies." — Positive Technologies researchers
In recent months, industrial and aviation sectors in Russia have been targeted by phishing campaigns orchestrated by a financially motivated group named CapFIX to deploy a backdoor dubbed CapDoor that can run PowerShell commands, DLLs, and executables retrieved from a remote server, install MSI files, and take screenshots. The moniker CapFIX is a reference to the fact that CapDoor was first discovered in 2025, distributed using the ClickFix social engineering tactic.
A deeper analysis of the threat actor's campaigns in October and November 2025 has uncovered the threat actor's use of ClickFix to deploy off-the-shelf malware families like AsyncRAT and SectopRAT. "While the group previously relied on financially themed phishing emails (cryptocurrency and anything money-related), they are now increasingly masking their emails as official communications from government agencies," Positive Technologies said.
Other Threat Groups Targeting Russian Entities
- Geo Likho: Targets aviation and shipping sectors in Russia and Belarus since July 2024, using phishing attacks that deliver information-stealing malware. Isolated infections in Germany, Serbia, and Hong Kong suspected to be accidental.
- Mythic Likho: Uses phishing lures via email to deliver loaders like HuLoader, Merlin (a Mythic agent), or ReflectPulse that unpack a backdoor called Loki, a Mythic-compatible version of an agent for the Havoc post-exploitation framework. Shares ties with ExCobalt due to use of the latter's proprietary rootkit, Megatsune.
- Paper Werewolf (aka GOFFEE): Uses a dedicated Telegram channel to distribute a trojan called EchoGather under the guise of a tool to add Starlink devices to an exception list, and shares links to phishing pages to harvest Telegram account credentials. Also used a bogus website advertising a drone pilot simulator to drop EchoGather.
- Versatile Werewolf (aka HeartlessSoul): Used a phony website ("stardebug[.]app") to distribute a fake MSI installer for Star Debug, an alternative tool to manage Starlink devices, in order to deploy the Sliver post‑exploitation framework. Another website ("alphafly-drones[.]com") used rogue drone simulator apps to likely drop SoullessRAT, a Windows trojan that can run commands, upload files, capture screenshots, and execute binaries.
- Eagle Werewolf: A previously undocumented group that compromised drone‑focused Telegram channels to distribute AquilaRAT via a Rust dropper masquerading as a checklist for Starlink device activation. AquilaRAT can perform file operations and run commands.
"Despite sharing a common goal and employing similar techniques, the clusters operated autonomously, showing no evidence of direct coordination. In addition to malware distribution, Paper Werewolf hijacks Telegram accounts. The cluster likely uses them as trusted channels to support future attacks. Versatile Werewolf leverages generative AI to develop tools used in their attacks, accelerating the development process." — BI.ZONE
