PhantomCore Unleashes Sophisticated Exploit Chain on Russian TrueConf Servers Amid Escalating Cyber Conflict

Cahyo Dewo,

A pro-Ukrainian hacktivist group identified as PhantomCore has been actively orchestrating a series of sophisticated cyberattacks targeting servers running TrueConf video conferencing software within Russia since mid-September 2025. This persistent campaign, characterized by its advanced exploit capabilities and strategic targeting, underscores the evolving nature of cyber warfare in the ongoing geopolitical landscape.

The revelations come from a comprehensive report published by Positive Technologies, a prominent Russian cybersecurity firm. Their investigation has meticulously traced the threat actors’ methods, pinpointing their leverage of a complex exploit chain comprising three distinct vulnerabilities. This chain, when successfully executed, grants PhantomCore the ability to remotely execute commands on susceptible TrueConf servers, effectively bypassing authentication mechanisms and establishing a foothold within targeted organizational networks.

The Modus Operandi of PhantomCore: A Threat Actor of High Caliber

According to Daniil Grigoryan and Georgy Khandozhko, researchers at Positive Technologies, the group’s ability to craft these exploits is particularly noteworthy. They highlighted, "Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations." This statement underscores PhantomCore’s advanced technical prowess, suggesting a significant investment in reverse engineering or zero-day discovery capabilities, distinguishing them from less sophisticated hacktivist collectives that often rely on readily available tools and exploits.

PhantomCore, also recognized by various aliases such as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, represents a potent and multifaceted hacking crew. Its emergence and sustained activity can be traced back to 2022, following the full-scale invasion of Ukraine by Russia. The group is characterized by a dual motivation: both politically driven, aligning with pro-Ukrainian sentiments, and financially motivated, often seeking to extract monetary gains from their intrusions.

Their operational history reveals a consistent pattern of sophisticated cyber operations. PhantomCore is known for its ability to exfiltrate sensitive data from targeted networks, cause significant disruptions to critical infrastructure and information systems, and in several documented instances, deploy ransomware. These ransomware attacks have notably utilized leaked source code from notorious families like Babuk and LockBit, further illustrating their adaptability and willingness to integrate potent, commercially available (or leaked) malicious tools into their arsenal.

Positive Technologies had previously noted PhantomCore’s operational excellence in September 2025, stating, "The group runs large-scale operations while maintaining strong stealth — remaining invisible in victim networks for extended periods — enabled by continual updates and evolution of in-house offensive tools." This commitment to stealth and continuous tool development allows them to conduct prolonged espionage and sabotage campaigns without detection, posing a significant challenge for defensive cybersecurity efforts.

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

Targeting TrueConf: A Strategic Move

The choice of TrueConf video conferencing software as a primary target is not arbitrary. TrueConf, being a domestically developed Russian communication platform, is widely adopted by government agencies, state-owned enterprises, and private companies across Russia. Its widespread use makes it a strategic target for groups seeking to disrupt internal communications, gain intelligence, or compromise critical organizational data. By compromising TrueConf servers, PhantomCore gains a valuable entry point into the heart of Russian corporate and governmental networks.

The specific TrueConf Server vulnerabilities exploited by PhantomCore, though not detailed with CVEs in the provided information, collectively allowed for an attacker to bypass authentication protocols. This critical initial step then enabled them to gain unauthorized access to an organization’s internal network. While TrueConf had released security patches to address these issues on August 27, 2025, Positive Technologies’ observations confirm that the first wave of attacks targeting unpatched or newly vulnerable TrueConf servers commenced around mid-September 2025. This narrow window between patch availability and active exploitation highlights the critical importance of rapid patch deployment for organizations, especially when facing highly motivated and technically capable threat actors. Delays in patching can create significant opportunities for adversaries to capitalize on known vulnerabilities.

The Aftermath of Exploitation: Deepening Network Compromise

Once a TrueConf Server was successfully compromised, PhantomCore did not merely stop at initial access. The Russian security vendor observed that the threat actors systematically leveraged the compromised server as a "springboard." This strategic move allowed them to pivot and move laterally across the internal network, exploring connected systems and identifying further targets for exploitation.

A key part of their post-compromise strategy involved dropping a variety of malicious payloads. These payloads were designed to serve multiple nefarious purposes, including:

  • Reconnaissance: Gathering detailed information about the network topology, active users, connected devices, and data storage locations.
  • Defense Evasion: Employing techniques to remain undetected by security software and analysts.
  • Credential Harvesting: Stealing user credentials, including usernames and passwords, to facilitate further access and privilege escalation within the network.
  • Establishing Communication Channels: Setting up covert communication pathways using tunneling utilities, enabling them to maintain persistent access and exfiltrate data without immediate detection.

In at least one documented instance, a successful compromise led to the deployment of a PHP-based web shell. This web shell is a powerful tool, providing the attackers with remote access and control over the infected host, allowing them to upload additional files, execute arbitrary commands, and manage the compromised server directly through a web browser interface. Alongside the web shell, a PHP file functioning as a proxy server was also deployed. This proxy served a critical role in masking malicious requests, making them appear as legitimate traffic originating from the compromised TrueConf server, thereby complicating detection and attribution efforts.

PhantomCore’s Evolving Arsenal and Tactics

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

The sophistication of PhantomCore is further evidenced by the diverse set of tools they employ in their attack chains. Their arsenal is a mix of publicly available and proprietary tools, demonstrating a pragmatic approach to leveraging existing resources while also investing in custom development for specific needs:

  • Publicly Available Tools:
    • Velociraptor: A powerful open-source digital forensics and incident response tool, used for endpoint visibility and data collection.
    • Memprocfs: A forensic framework to acquire and analyze physical memory, often used for credential harvesting and malware analysis.
    • Dokan: A user-mode file system driver, potentially used for creating virtual file systems or manipulating file access.
    • DumpIt: A tool for creating memory dumps, crucial for post-exploitation analysis and credential extraction.
  • Proprietary Tools:
    • MacTunnelRAT: A custom Remote Access Trojan likely designed for covert communication and command execution.
    • PhantomSscp: A tool whose specific function is not fully detailed but likely serves a role in lateral movement, persistence, or data exfiltration.
    • PhantomProxyLite: The custom proxy tool described earlier, used for obfuscating malicious traffic.

Beyond these software tools, PhantomCore has also been observed using a custom DLL (Dynamic Link Library) to create a rogue user account named "TrueConf2" with administrative privileges on compromised video conferencing servers. This tactic ensures persistent access and elevated control, even if other initial access methods are remediated.

In a demonstration of their adaptive strategies, PhantomCore’s attack chains have also incorporated phishing lures for initial access to Russian organizations. As recently as January and February 2026, the group was observed using crafted ZIP or RAR archives. These archives, when opened by unsuspecting victims, would distribute a backdoor capable of running remote commands on the host and serving arbitrary payloads. This shift back to phishing for initial access, even while maintaining exploit capabilities, indicates a willingness to use diverse entry vectors based on opportunity and target susceptibility.

"The PhantomCore group is one of the most active groups in the Russian threat landscape," concluded the Positive Technologies researchers. "Its arsenal includes both publicly available tools… and proprietary tools… The group targets government and private organizations across a wide range of industries." They further emphasized the group’s proactive approach: "PhantomCore actively searches for vulnerabilities in domestic software, develops exploits, and thereby gains the ability to infiltrate a large number of Russian companies." This strategic focus on domestic software highlights a vulnerability point for Russian organizations, as these platforms may receive less scrutiny from global security researchers compared to widely used international software.

The Broader Landscape of Cyber Threats Against Russia

PhantomCore is not an isolated actor in the complex cyber landscape targeting Russian entities. Several other threat activity clusters have been identified, operating with varying motivations and sophisticated techniques.

One such group is CapFIX, a financially motivated entity that has been observed targeting the industrial and aviation sectors in Russia. CapFIX is responsible for deploying a backdoor dubbed CapDoor, a versatile malware capable of executing PowerShell commands, running DLLs and executables retrieved from remote servers, installing MSI files, and taking screenshots of compromised systems. The moniker "CapFIX" is derived from the fact that CapDoor was first discovered in 2025, distributed using the "ClickFix" social engineering tactic, which likely involves tricking users into clicking malicious links or attachments.

A deeper analysis of CapFIX’s campaigns in October and November 2025 revealed their use of ClickFix to deploy off-the-shelf malware families such as AsyncRAT and SectopRAT. AsyncRAT is a widely available open-source Remote Access Trojan, while SectopRAT is another versatile RAT used for remote control and data exfiltration. Notably, Positive Technologies observed a shift in CapFIX’s phishing strategies: "While the group previously relied on financially themed phishing emails (cryptocurrency and anything money-related), they are now increasingly masking their emails as official communications from government agencies." This evolution points to a growing sophistication in social engineering, designed to increase credibility and trick more wary targets.

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

Beyond PhantomCore and CapFIX, other prominent groups identified by Russian cybersecurity company BI.ZONE include:

  • Paper Werewolf: Known for malware distribution and, uniquely, for hijacking Telegram accounts. These hijacked accounts are likely used as trusted channels to support future attacks or spread disinformation.
  • Versatile Werewolf: This cluster stands out for its innovative approach, leveraging generative AI to develop tools used in their attacks, significantly accelerating their development process and potentially creating more evasive malware.
  • Red Wolf, White Wolf, and Black Wolf: These groups, while sharing a common thematic naming convention, also contribute to the diverse threat landscape.

BI.ZONE noted a crucial aspect of these multiple threat clusters: "Despite sharing a common goal and employing similar techniques, the clusters operated autonomously, showing no evidence of direct coordination." This observation suggests a decentralized, yet broadly aligned, cyber front operating against Russian interests. While they may not be centrally commanded, their shared objectives create a persistent and multi-pronged threat.

Implications and Future Outlook

The persistent and evolving campaigns by groups like PhantomCore and CapFIX, alongside the activities of other clusters, paint a clear picture of an intense and dynamic cyber conflict. The targeting of domestic software like TrueConf highlights the vulnerabilities that can arise from reliance on national solutions, especially if they are not subjected to the same rigorous global security scrutiny as international products.

For Russian organizations, the implications are profound. They face a continuous need for robust cybersecurity measures, including:

  • Rapid Patch Management: The window between patch release and active exploitation, as seen with TrueConf, necessitates immediate deployment of security updates.
  • Advanced Threat Detection: The stealth and custom tools used by groups like PhantomCore require sophisticated detection capabilities that can identify anomalous behavior rather than relying solely on signature-based defenses.
  • Employee Training: The continued use of social engineering tactics, from ClickFix to government impersonation, underscores the need for comprehensive and continuous cybersecurity awareness training for all employees.
  • Threat Intelligence Sharing: Collaboration between cybersecurity firms and targeted organizations is crucial for understanding the evolving threat landscape and developing effective countermeasures.

The use of generative AI by groups like Versatile Werewolf signifies a worrying trend, potentially enabling threat actors to develop more potent and personalized attack tools at an unprecedented pace. This innovation in offensive capabilities demands an equally rapid evolution in defensive strategies and technologies.

As the geopolitical tensions persist, the cyber domain will undoubtedly remain a critical battleground. The adaptability, technical prowess, and persistent nature of groups like PhantomCore ensure that the challenges for cybersecurity professionals in Russia, and globally, will continue to grow, demanding constant vigilance and proactive defense strategies to safeguard critical infrastructure and sensitive data. The conflict in cyberspace, characterized by a diverse array of actors and constantly evolving tactics, reflects a new era of digital warfare with far-reaching consequences.

Cybersecurity & Digital Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *