PhantomCore exploited three TrueConf flaws to breach Russia

A pro-Ukrainian hacktivist group known as PhantomCore exploited a chain of three vulnerabilities in TrueConf Server to run operating system commands and breach Russian organizations beginning in September 2025. The exploit chain includes BDU:2025-10114, an insufficient access control flaw allowing unauthenticated requests to administrative endpoints; BDU:2025-10115, an arbitrary file read issue; and BDU:2025-10116, a command-injection vulnerability rated CVSS 9.8. TrueConf released security updates on August 27, 2025; attacks were first observed in mid-September 2025.

Compromised conferencing servers were used as staging points to drop additional tools, scan internal networks and collect credentials. In several intrusions attackers installed a PHP web shell capable of uploading files and executing commands and a PHP proxy that forwarded malicious requests through a legitimate host. One incident included the creation of a rogue administrative user named “TrueConf2” on an infected server.

The attack toolkit combined custom and publicly available components. Operators deployed a malicious TrueConf client called PhantomPxPigeon that implements a reverse shell, a DLL named PhantomSscp, and PowerShell utilities such as MacTunnelRat and PhantomProxyLite for tunneling. Reconnaissance and credential-theft tools observed in incidents included ADRecon, a modified Veeam credential-recovery script labeled Veeam-Get-Creds, DumpIt and MemProcFS. The intruders used Windows Remote Management and Remote Desktop Protocol for lateral movement and relied on Velociraptor and SOCKS proxies to control compromised hosts.

Positive Technologies noted sustained stealth and ongoing updates to PhantomCore’s in-house tools, which enabled long dwell times in victim environments. Researchers Daniil Grigoryan and Georgy Khandozhko wrote, “Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations.”

Positive Technologies traced further activity by PhantomCore in January and February 2026 that relied on phishing. Those campaigns used crafted ZIP and RAR attachments to deliver a backdoor able to run commands and fetch arbitrary payloads. The firm described PhantomCore as politically and financially motivated and linked the group’s past operations to data theft, network disruption and, in some incidents, ransomware derived from leaked Babuk and LockBit source code.

Security researchers also reported related campaigns targeting Russian organizations. A financially motivated actor labeled CapFIX used a ClickFix social engineering tactic in late 2025 to deploy a backdoor called CapDoor capable of running PowerShell commands, loading DLLs and executables, installing MSI packages and taking screenshots. Other clusters identified by investigators used phishing lures, fake websites and Telegram channels to distribute information-stealing malware and post-exploitation frameworks against aviation, shipping and drone communities. Those clusters-named Geo Likho, Mythic Likho, Paper Werewolf (GOFFEE), Versatile Werewolf (HeartlessSoul) and Eagle Werewolf-have used loaders, trojans and custom agents in isolated campaigns and share some techniques and tooling while operating independently.