A pro-Ukrainian group known as PhantomCore has been linked to attacks on TrueConf video conferencing servers in Russia since September 2025, with a technical analysis from Positive Technologies saying the campaign used a chain of three flaws to run commands remotely.
KEY FACTS
- Target TrueConf Server deployments in Russia
- Vulnerabilities Three flaws allowed unauthenticated access, file reads and command injection
- Timeline Patches were released on Aug. 27, 2025, and attacks were first seen in mid-September
- Impact Compromised servers were used for lateral movement, web shells and credential harvesting
The report said the flaws were tracked as BDU:2025-10114, BDU:2025-10115 and BDU-2025-10116. Together, they could let an attacker bypass authentication, read files on the system and execute arbitrary operating system commands.
TrueConf released patches on Aug. 27, 2025, but the first attacks against exposed servers were detected weeks later. In some cases, successful compromise let attackers move across internal networks and deploy tools for reconnaissance, defense evasion and credential theft.
The disclosure said one intrusion led to a PHP web shell and a proxy file used to hide malicious requests as legitimate traffic. Other tools observed included a rogue TrueConf client, reverse SSH tunnel components, ADRecon, Veeam password recovery scripts, DumpIt, MemProcFS, WinRM, RDP, Velociraptor and SOCKS proxy utilities.
Some intrusions also created a rogue administrative user named TrueConf2. Separately, the group used phishing lures in January and February 2026 to deliver a backdoor through ZIP and RAR archives, showing that it continued to mix vulnerability exploitation with social engineering.
WHY IT MATTERS
The campaign shows how a single server compromise can become a foothold for wider network access, especially when patched systems remain exposed. It also highlights continuing pressure on Russian organizations from groups that combine custom malware, public tools and phishing to gain access and stay inside victim networks.