A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025.
That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers.
"Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said.
PhantomCore, also called Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the name assigned to a politically- and financially-motivated hacking crew that has been active since 2022 following the Russo-Ukrainian war. Attacks mounted by the group are known to steal sensitive data and disrupt target networks, in some cases even deploying ransomware based on the leaked source code of Babuk and LockBit.
"The group runs large-scale operations while maintaining strong stealth -- remaining invisible in victim networks for extended periods -- enabled by continual updates and evolution of in-house offensive tools," the company noted back in September 2025.
The TrueConf Server vulnerabilities exploited in the attacks are listed below -
- BDU:2025-10114 (CVSS score: 7.5) - An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication.
- BDU:2025-10115 (CVSS score: 7.5) - A vulnerability that could allow an attacker to read arbitrary files on the system.
- BDU-2025-10116 (CVSS score: 9.8) - A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.
Successful exploitation of the three vulnerabilities could permit an attacker to bypass authentication and gain access to the organization's network. Although security patches to address the issues were released by TrueConf on August 27, 2025, the first attacks aimed at TrueConf servers were detected around mid-September 2025, per Positive Technologies.
In the attacks observed by the Russian security vendor, the compromise of the TrueConf Server enabled the threat actors to use it as a springboard to move laterally across the internal network and drop malicious payloads to facilitate reconnaissance, defense evasion, and credential harvesting, as well as set up communication channels using tunneling utilities.
At least one such successful compromise is said to have led to the deployment of a PHP-based web shell that's capable of uploading files to the infected host and executing remote commands, along with a PHP file that functions as a proxy server to disguise malicious requests as coming from a legitimate server.
Some of the other tools delivered as part of the attack are as follows -
- PhantomPxPigeon, a malicious TrueConf video conferencing client that implements a reverse shell to connect to a remote server and receive tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell
- PhantomSscp (DLL), MacTunnelRat (PowerShell), PhantomProxyLite (PowerShell), for establishing a foothold in a breached environment via a reverse SSH tunnel
- ADRecon, for reconnaissance
- Veeam-Get-Creds, a modified version of the PowerShell script to recover passwords related to the Veeam Backup & Replication software
- DumpIt and MemProcFS, for credential harvesting
- Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP), for lateral movement within the network perimeter
- Velociraptor, for remote access
- microsocks, rsocx, and tsocks, for controlling compromised hosts from attacker-controlled infrastructure using a SOCKS proxy
Select intrusions have utilized a DLL to create a rogue user named "TrueConf2" with administrative privileges on a compromised video conferencing server.
PhantomCore's attack chains have also been found to use phishing lures for initial access to Russian organizations as recently as January and February 2026, using crafted ZIP or RAR archives to distribute a backdoor that can run remote commands on the host and serve arbitrary payloads.
"The PhantomCore group is one of the most active groups in the Russian threat landscape," the researchers concluded. "Its arsenal includes both publicly available tools (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary tools (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets government and private organizations across a wide range of industries."
"PhantomCore actively searches for vulnerabilities in domestic software, develops exploits, and thereby gains the ability to infiltrate a large number of Russian companies."
In recent months, industrial and aviation sectors in Russia have been targeted by phishing campaigns orchestrated by a financially motivated group named CapFIX to deploy a backdoor dubbed CapDoor that can run PowerShell commands, DLLs, and executables retrieved from a remote server, install MSI files, and take screenshots. The moniker CapFIX is a reference to the fact that CapDoor was first discovered in 2025, distributed using the ClickFix social engineering tactic.
A deeper analysis of the threat actor's campaigns in October and November 2025 has uncovered the threat actor's use of ClickFix to deploy off-the-shelf malware families like AsyncRAT and SectopRAT.
"While the group previously relied on financially themed phishing emails (cryptocurrency and anything money-related), they are now increasingly masking their emails as official communications from government agencies," Positive Technologies said.
PhantomCore and CapFIX are among a growing list of threat activity clusters that have mounted attacks against Russian entities. Some of the other prominent groups include -
- Geo Likho, which has mainly targeted aviation and shipping sectors in Russia and Belarus since July 2024, using phishing attacks that deliver information-stealing malware. Isolated infections have also been detected in Germany, Serbia, and Hong Kong, and are suspected to be accidental.
- Mythic Likho, which uses phishing lures via email to deliver loaders like HuLoader, Merlin (a Mythic agent), or ReflectPulse that are designed to unpack the final payload, a backdoor called Loki that's a Mythic-compatible version of an agent designed for the Havoc post-exploitation framework. Evidence has indicated that the group shares ties with another group known as ExCobalt, owing to the use of the latter's proprietary rootkit, Megatsune.
- Paper Werewolf (aka GOFFEE), which has used a dedicated Telegram channel to distribute a trojan called EchoGather under the guise of a tool to add Starlink devices to an exception list, in addition to sharing links to phishing pages that are designed to harvest victims' Telegram account credentials. The group has also been observed using a bogus website advertising a drone pilot simulator to drop EchoGather.
- Versatile Werewolf (aka HeartlessSoul), which has used fake websites ("stardebug[.]app") to distribute fake MSI installers for Star Debug, an alternative tool to manage Starlink devices, to deploy the Sliver post‑exploitation framework. Another website tied to the threat actor ("alphafly-drones[.]com") has used rogue drone simulator apps to likely drop SoullessRAT, a Windows trojan that can run commands, upload files, capture screenshots, and execute binaries.
- Eagle Werewolf, a previously undocumented threat group that has compromised drone‑focused Telegram channels to distribute AquilaRAT via a Rust dropper that masquerades as a checklist for Starlink device activation. A Rust-based trojan, AquilaRAT, can perform file operations and run commands.
"Despite sharing a common goal and employing similar techniques, the clusters operated autonomously, showing no evidence of direct coordination," Russian cybersecurity company BI.ZONE said.
"In addition to malware distribution, Paper Werewolf hijacks Telegram accounts. The cluster likely uses them as trusted channels to support future attacks. Versatile Werewolf leverages generative AI to develop tools used in their attacks, accelerating the development process."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.