In a significant breach, a pro-Ukrainian hacktivist group known as PhantomCore has been linked to a series of cyberattacks targeting TrueConf video conferencing servers in Russia since September 2025. This revelation stems from a detailed report released by Positive Technologies, highlighting that PhantomCore exploited a chain of three specific vulnerabilities to gain remote access to compromised servers.
Researchers Daniil Grigoryan and Georgy Khandozhko noted that despite the absence of publicly available exploits for these vulnerabilities, PhantomCore successfully developed its own methods to infiltrate the systems, leading to a notable number of incidents within Russian organizations. PhantomCore, also referred to by other aliases such as Fairy Trickster and Rainbow Hyena, has been active since the escalation of the Russo-Ukrainian conflict in 2022, primarily targeting both governmental and private sectors.
The attacks executed by PhantomCore have demonstrated a dual focus on intelligence gathering and disruption. Instances include high-stakes data theft and network sabotage, including deployments of ransomware derived from the leaked source codes of Babuk and LockBit. Notably, the group has exhibited a remarkable ability to evade detection by updating and refining its proprietary offensive tools, allowing them to remain undetected on victim networks for extended periods.
The vulnerabilities exploited in these attacks are categorized as BDU:2025-10114, BDU:2025-10115, and BDU:2025-10116. These weaknesses, with CVSS scores ranging from 7.5 to a critical 9.8, include insufficient access control, the ability to read arbitrary files, and command injection vulnerabilities that enable the execution of arbitrary operating system commands. Successful exploitation grants attackers the ability to bypass authentication, thereby infiltrating organizational networks.
Despite TrueConf issuing security patches to rectify these vulnerabilities on August 27, 2025, the first signs of exploitation were observed shortly thereafter, emphasizing the critical need for timely software updates and vigilance against emerging threats. In compromised environments, PhantomCore reportedly set up a PHP-based web shell, facilitating reconnaissance, data collection, and lateral movement within the network.
The attack vector has also included the delivery of a range of malicious tools designed for various offensive operations. For instance, PhantomPxPigeon—a malicious TrueConf client—establishes reverse shells for command execution, alongside tools for privilege escalation, credential harvesting, and maintaining persistence within infected networks. Phishing campaigns have reportedly served as a means for initial access, utilizing crafted ZIP or RAR files to distribute backdoors capable of remote operations.
Analysis indicates that PhantomCore actively seeks out vulnerabilities in domestic software, helping them maintain an advantage in infiltrating corporations involved in critical sectors. This poses a significant threat landscape for organizations within Russia, as illustrated by the group’s recent exploits and the methods of operation outlined in the MITRE ATT&CK framework, which include tactics such as initial access, privilege escalation, and lateral movement.
Complementing PhantomCore’s activities, another financially motivated hacking group named CapFIX has recently targeted Russian industries, notably in aviation and technology. CapFIX utilizes social engineering tactics, such as deceptive emails masquerading as official communications from governmental agencies, to deploy malicious payloads, further complicating the cybersecurity landscape.
The activities of PhantomCore and CapFIX highlight an escalating trend in cyber threats against Russian entities, reinforcing the necessity for robust cybersecurity measures. With numerous groups employing similar tactics and showing no signs of coordinated efforts, the threat of targeted attacks looms large, underscoring the importance of vigilance and preparedness in the face of sophisticated cyber adversaries.