Ethical Hacking News
PhantomCore, a pro-Ukrainian hacktivist group, has been identified as the masterminds behind a malicious campaign to exploit vulnerabilities in TrueConf video conferencing software. Their exploits have been detected since September 2025, leaving a trail of compromised networks and shattered security in their wake. With their arsenal of tools and techniques, PhantomCore is targeting government and private organizations across industries, making them one of the most active groups in the Russian threat landscape.
Stay ahead of the cyber threats with our expert insights and analysis. Follow us for more updates on this story and others like it.
PhantomCore, a pro-Ukrainian hacktivist group, has emerged with a new threat targeting TrueConf video conferencing software. The group is leveraging an exploit chain of three vulnerabilities to execute commands remotely on susceptible servers. Successful exploitation could permit an attacker to bypass authentication and gain access to the organization's network. The attack vectors used by PhantomCore include various tools such as PhantomPxPigeon, MacTunnelRat, and Velociraptor. The group has been linked to phishing campaigns in Russian organizations, including industrial and aviation sectors.
Phantoms lurk in the shadows, their presence masked by the faint glow of screens and the hum of machinery. For those who dwell in the dark corners of the internet, a new threat has emerged, one that promises to leave a trail of destruction in its wake. Meet PhantomCore, a group of hacktivists with a penchant for exploiting vulnerabilities in TrueConf video conferencing software, leaving a path of compromised networks and shattered security in their wake.
The masterminds behind this campaign have been identified as a pro-Ukrainian hacktivist group, operating under the pseudonym Fairy Trickster. Their exploits have been detected since September 2025, with Positive Technologies revealing that they are leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible servers. Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations.
The TrueConf Server vulnerabilities exploited in the attacks are listed below:
- BDU:2025-10114 (CVSS score: 7.5) - An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication.
- BDU:2025-10115 (CVSS score: 7.5) - A vulnerability that could allow an attacker to read arbitrary files on the system.
- BDU-2025-10116 (CVSS score: 9.8) - A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.
Successful exploitation of the three vulnerabilities could permit an attacker to bypass authentication and gain access to the organization's network. Although security patches to address the issues were released by TrueConf on August 27, 2025, the first attacks aimed at TrueConf servers were detected around mid-September 2025, per Positive Technologies.
In the attacks observed by the Russian security vendor, the compromise of the TrueConf Server enabled the threat actors to use it as a springboard to move laterally across the internal network and drop malicious payloads to facilitate reconnaissance, defense evasion, and credential harvesting, as well as set up communication channels using tunneling utilities. At least one such successful compromise is said to have led to the deployment of a PHP-based web shell that's capable of uploading files to the infected host and executing remote commands, along with a PHP file that functions as a proxy server to disguise malicious requests as coming from a legitimate server.
The attack vectors used by PhantomCore include:
- PhantomPxPigeon, a malicious TrueConf video conferencing client that implements a reverse shell to connect to a remote server and receive tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell.
- PhantomSscp (DLL), MacTunnelRat (PowerShell), PhantomProxyLite (PowerShell), for establishing a foothold in a breached environment via a reverse SSH tunnel.
- ADRecon, for reconnaissance.
- Veeam-Get-Creds, a modified version of the PowerShell script to recover passwords related to the Veeam Backup & Replication software.
- DumpIt and MemProcFS, for credential harvesting.
- Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP), for lateral movement within the network perimeter.
- Velociraptor, for remote access.
- microsocks, rsocx, and tsocks, for controlling compromised hosts from attacker-controlled infrastructure using a SOCKS proxy.
Select intrusions have utilized a DLL to create a rogue user named "TrueConf2" with administrative privileges on a compromised video conferencing server. PhantomCore's attack chains have also been found to use phishing lures for initial access to Russian organizations as recently as January and February 2026, using crafted ZIP or RAR archives to distribute a backdoor that can run remote commands on the host and serve arbitrary payloads.
The PhantomCore group is one of the most active groups in the Russian threat landscape. Its arsenal includes both publicly available tools (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary tools (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets government and private organizations across a wide range of industries.
In recent months, industrial and aviation sectors in Russia have been targeted by phishing campaigns orchestrated by a financially motivated group named CapFIX to deploy a backdoor dubbed CapDoor that can run PowerShell commands, DLLs, and executables retrieved from a remote server, install MSI files, and take screenshots. The moniker CapFIX is a reference to the fact that CapDoor was first discovered in 2025, distributed using the ClickFix social engineering tactic.
A deeper analysis of the threat actor's campaigns in October and November 2025 has uncovered the threat actor's use of ClickFix to deploy off-the-shelf malware families like AsyncRAT and SectopRAT. While the group previously relied on financially themed phishing emails (cryptocurrency and anything money-related), they are now increasingly masking their emails as official communications from government agencies.
Related Information:
https://www.ethicalhackingnews.com/articles/PhantomCores-Malicious-Campaign-Uncovering-the-Dark-Web-of-Russian-Network-Exploitation-ehn.shtml
https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html
https://x.com/TheHackersNews/status/2048734087037468956
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cloud.google.com/security/resources/insights/apt-groups
Published: Mon Apr 27 08:22:51 2026 by llama3.2 3B Q4_K_M
