PhantomCore Exploits TrueConf Flaws to Breach Russian Networks

A pro-Ukrainian hacktivist group has been systematically exploiting Russian video conferencing infrastructure since September 2025. PhantomCore — tracked by some researchers as Head Mare, Rainbow Hyena, or Fairy Trickster — chains three vulnerabilities in TrueConf Server to gain initial access, then deploys custom backdoors for persistent network control.

The campaign details, published by Positive Technologies researchers Daniil Grigoryan and Georgy Khandozhko, reveal an operation targeting Russian government entities and private companies through their video conferencing systems.

The Exploit Chain

TrueConf released security patches on August 27, 2025. By mid-September, PhantomCore was actively exploiting unpatched servers. The group chains three vulnerabilities registered in Russia's BDU vulnerability database:

BDU:2025-10114 (CVSS 7.5) — Insufficient access control allowing unauthenticated requests to administrative endpoints under /admin/*. This flaw opens the door for the subsequent attacks.

BDU:2025-10115 (CVSS 7.5) — Arbitrary file reading vulnerability enabling access to system files. Attackers use this to extract configuration data and credentials.

BDU:2025-10116 (CVSS 9.8) — Command injection flaw allowing execution of arbitrary operating system commands. This is the payload delivery mechanism, turning file read access into full system compromise.

The progression is textbook: reconnaissance through administrative access, credential harvesting through file read, then code execution through command injection.

Post-Compromise Activity

Once inside a network, PhantomCore doesn't stop at the video conferencing server. Positive Technologies documented extensive lateral movement using legitimate tools that blend with normal administrative activity.

The group deploys PHP-based web shells for persistent access and establishes reverse SSH tunnels for command-and-control. Rather than custom C2 frameworks that might trigger detection, they abuse Velociraptor — an open-source digital forensics tool — and Windows Remote Management (WinRM) for lateral movement.

Custom backdoors labeled PhantomPxPigeon handle command execution and traffic proxying across infected networks. The malware maintains communication channels even when direct internet access is restricted.

Who Is PhantomCore?

The group emerged publicly in 2022 following Russia's invasion of Ukraine. Operating under hacktivist motivations, PhantomCore pursues both political objectives and financial gain — a dual-purpose model common among groups active in the Russia-Ukraine conflict.

Positive Technologies notes the group conducts "large-scale operations while maintaining extended stealth within victim networks through continuous tool updates." This persistence suggests capabilities beyond casual hacktivism.

The multiple tracking names — PhantomCore, Head Mare, Rainbow Hyena, Fairy Trickster, UNG0901 — reflect independent identification by different security vendors before attribution consolidated.

Why TrueConf?

TrueConf is a Russian video conferencing platform with significant domestic market share. Following Western sanctions and the departure of international vendors like Zoom and Microsoft Teams from the Russian market, domestic alternatives like TrueConf saw expanded adoption across government and enterprise sectors.

That adoption makes TrueConf infrastructure a high-value target. Video conferencing servers often hold:

• Meeting recordings containing sensitive discussions
• User credentials and contact directories
• Network positioning within segmented environments
• Calendar integrations revealing organizational structure

Compromising these systems provides intelligence value beyond simple network access.

Attack Pattern Familiarity

The TrueConf campaign echoes patterns seen in other conflict-driven operations. UNC6692's targeting of Microsoft Teams through helpdesk impersonation demonstrates similar thinking: go where communications happen.

When organizations move sensitive discussions to video platforms, those platforms become collection targets. The security model shifts from protecting email servers to protecting real-time communication infrastructure.

PhantomCore's rapid exploitation — within weeks of patches releasing — also matches observed timelines in critical vulnerability campaigns. Attackers monitor vendor patch releases, reverse-engineer the fixes, and deploy exploits before defenders update.

Defensive Recommendations

Patch immediately — If running TrueConf Server, apply August 2025 security updates. The exploitation window has been open for eight months.

Audit access logs — Review authentication and administrative access patterns for signs of unauthorized requests to /admin/* endpoints.

Check for web shells — Search for PHP files in unexpected locations. PhantomCore's shells may persist even after patching.

Monitor SSH connections — Reverse SSH tunnels create outbound connections that bypass traditional perimeter controls. Unusual SSH traffic patterns warrant investigation.

Review internal tooling — Velociraptor and WinRM are legitimate tools. Unexpected deployments or usage patterns could indicate attacker activity.

Network segmentation — Video conferencing servers shouldn't have unrestricted access to sensitive network segments. Limit lateral movement opportunities.

The Broader Context

State-aligned hacktivism has complicated traditional threat intelligence. Groups like PhantomCore operate with political motivation but employ tradecraft approaching nation-state sophistication. The line between activism and state-sponsored activity blurs.

For organizations caught in geopolitical crossfire — not just in Russia, but anywhere conflict creates targeting motivation — the lesson is pragmatic: patch faster, segment harder, and assume determined adversaries will find the gaps.

Positive Technologies continues tracking PhantomCore operations and has published technical indicators for defenders investigating potential compromises.