A pro-Ukrainian hacktivist group called PhantomCore is said to have actively targeted servers running TrueConf video conferencing software in Russia since September 2025.
This is according to a report published by Positive Technologies, which found that attackers were able to leverage an exploit chain of three vulnerabilities to remotely execute commands on susceptible servers.
“Despite the fact that there is no way to exploit this set of vulnerabilities in public access, the PhantomCore attackers conducted research and were able to successfully reproduce the vulnerabilities, resulting in numerous operational cases in Russian organizations,” researchers Daniil Grigorian and Georgy Khandoshko said in a statement.
Phantomcore, also known as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the name assigned to a politically and financially motivated hacking crew that has been active since 2022 after the Russia-Ukraine war. The group’s attacks are known for stealing sensitive data and disrupting target networks, and in some cases deploying ransomware based on leaked source code from Babak and LockBit.
In September 2025, the company said, “The group conducts large-scale operations while maintaining a strong degree of stealth, meaning that it continually updates and evolves its in-house attack tools, allowing it to remain invisible to victim networks for extended periods of time.”
The TrueConf Server vulnerabilities exploited in the attack are as follows:
BDU:2025-10114 (CVSS score: 7.5) – Insufficient access controls could allow an attacker to send requests to certain administrative endpoints (/admin/*) without authentication. BDU:2025-10115 (CVSS score: 7.5) – Vulnerability that could allow an attacker to read arbitrary files on the system. BDU-2025-10116 (CVSS Score: 9.8) – A command injection vulnerability could allow an attacker to execute arbitrary operating system commands.
Successful exploitation of the three vulnerabilities could allow an attacker to bypass authentication and gain access to an organization’s network. According to Positive Technologies, a security patch addressing the issue was released by TrueConf on August 27, 2025, but the first attack targeting TrueConf servers was detected around mid-September 2025.
In an attack observed by a Russian security vendor, a compromise of the TrueConf server allowed attackers to use it as a springboard to move laterally within internal networks, dropping malicious payloads to facilitate reconnaissance, defense evasion, and credential capture, and using tunneling utilities to set up communication channels.
At least one such successful breach is said to have introduced a PHP-based web shell that can upload files and execute remote commands on infected hosts, and a PHP file that acts as a proxy server to disguise malicious requests as coming from a legitimate server.
Some of the other tools delivered as part of the attack are:
PhantomPxPigeon is a malicious TrueConf video conferencing client that implements a reverse shell that connects to a remote server and receives subsequent execution tasks, and uses the aforementioned web shells PhantomSscp (DLL), MacTunnelRat (PowerShell), and PhantomProxyLite (PowerShell) to execute commands, launch executables, and establish a foothold in a compromised environment via a reverse SSH tunnel. Allow proxying of traffic through. ADRecon (for reconnaissance) Veeam-Get-Creds (a modified version of the PowerShell script to recover passwords related to Veeam Backup & Replication software) DumpIt and MemProcFS (for credential collection) for Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP), for lateral movement within the network perimeter Velociraptor, microsocks, rsocx, and tsocks for remote access Use a control SOCKS proxy to compromise hosts from attacker-controlled infrastructure
Some intrusions leveraged a DLL to create an unauthorized user named “TrueConf2” with administrative privileges on compromised video conferencing servers.
The PhantomCore attack chain was also found to have used phishing lures for initial access to Russian organizations, most recently in January and February 2026, and used crafted ZIP or RAR archives to deliver backdoors that could execute remote commands on hosts and deliver arbitrary payloads.
The researchers concluded that “the PhantomCore group is one of the most active groups in the Russian threat landscape.” “Their arsenal includes both publicly available tools (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary tools (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets government and private organizations across a wide range of industries.”
“PhantomCore actively searches for vulnerabilities in domestic software and develops exploits, thereby gaining the ability to penetrate numerous Russian companies.”
In recent months, Russia’s industrial and aviation industries have been targeted by a phishing campaign organized by a financially motivated group called CapFIX. The group deploys a backdoor called CapDoor that can run PowerShell commands, DLLs, and executables obtained from remote servers, install MSI files, and take screenshots. The name CapFIX comes from the fact that CapDoor was first discovered in 2025 and distributed using ClickFix social engineering tactics.
A detailed analysis of threat actor campaigns conducted in October and November 2025 revealed that threat actors were using ClickFix to deploy off-the-shelf malware families such as AsyncRAT and SectopRAT.
“While the group previously relied on financial-themed phishing emails (e.g., cryptocurrencies and money-related), they are now increasingly masking their emails as official communications from government agencies,” Positive Technologies said.
PhantomCore and CapFIX are among a list of threat activity clusters that have launched attacks against Russian organizations. Other notable groups include:
Since July 2024, Geo Likho has primarily targeted the aviation and shipping industries in Russia and Belarus using phishing attacks that deliver information-stealing malware. Isolated cases have also been confirmed in Germany, Serbia, and Hong Kong, and accidental infections are suspected. Mythic Likho uses phishing lures via email to deliver a backdoor called Loki, which is a Mythic-compatible version of a loader such as HuLoader, Merlin (a Mythic agent), or ReflectPulse, an agent designed for the Havoc post-exploitation framework, designed to decompress the final payload. Evidence indicates that this group has ties to another group known as ExCobalt, as it uses its own rootkit, Megatsune. Paper Werewolf (also known as GOFFEE) used a dedicated Telegram channel to distribute a Trojan horse called EchoGather disguised as a tool to add Starlink devices to the exception list, and also shared a link to a phishing page designed to collect the credentials of victims’ Telegram accounts. The group has also been observed using a fake website promoting a drone pilot simulator to drop EchoGather. Versatile Werewolf (aka HeartlessSoul) was using a fake website (“stardebug”).[.]app”) distributes a fake MSI installer for Star Debug, an alternative tool for managing Starlink devices, and deploys the Sliver post-exploitation framework. Another website associated with the threat actor (“alphafly-drones”)[.]com”) could use a rogue drone simulator app to drop SoullessRAT, a Windows Trojan that can execute commands, upload files, capture screenshots, and execute binaries. Eagle Werewolf compromised a drone-focused Telegram channel and launched AquilaRAT via a Rust dropper disguised as a Starlink device activation checklist. AquilaRAT is a previously undocumented threat group that distributes AquilaRAT, a Rust-based Trojan that performs file operations and executes commands.
“Despite sharing common goals and employing similar technologies, the clusters operated autonomously and showed no evidence of direct coordination,” Russian cybersecurity firm BI.ZONE said in a statement.
“In addition to distributing malware, Paper Werewolf hijacks Telegram accounts, and the cluster may use them as trusted channels to support future attacks. Versatile Werewolf leverages generative AI to develop tools used in attacks and accelerate the development process.”
Source link
