PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025.

That’s according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers.    

“Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations,” researchers Daniil Grigoryan and Georgy Khandozhko said.

PhantomCore, also called Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the name assigned to a politically- and financially-motivated hacking crew that has been active since 2022 following the Russo-Ukrainian war. Attacks mounted by the group are known to steal sensitive data and disrupt target networks, in some cases even deploying ransomware based on the leaked source code of Babuk and LockBit.

“The group runs large-scale operations while maintaining strong stealth — remaining invisible in victim networks for extended periods — enabled by continual updates and evolution of in-house offensive tools,” the company noted back in September 2025.

The TrueConf Server vulnerabilities exploited in the attacks are listed below –

• BDU:2025-10114 (CVSS score: 7.5) – An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication.
• BDU:2025-10115 (CVSS score: 7.5) – A vulnerability that could allow an attacker to read arbitrary files on the system.
• BDU-2025-10116 (CVSS score: 9.8) – A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.

Successful exploitation of the three vulnerabilities could permit an attacker to bypass authentication and gain access to the organization’s network. Although security patches to address the issues were released by TrueConf on August 27, 2025, the first attacks aimed at TrueConf servers were detected around mid-September 2025, per Positive Technologies.

In the attacks observed by the Russian security vendor, the compromise of the TrueConf Server enabled the threat actors to use it as a springboard to move laterally across the internal network and drop malicious payloads to facilitate reconnaissance, defense evasion, and credential harvesting, as well as set up communication channels using tunneling utilities.

At least one such successful compromise is said to have led to the deployment of a PHP-based web shell that’s capable of uploading files to the infected host and executing remote commands, along with a PHP file that functions as a proxy server to disguise malicious requests as coming from a legitimate server.