A professional-Ukrainian hacktivist group known as PhantomCore has been attributed to assaults actively focusing on servers working TrueConf video conferencing software program in Russia since September 2025.
That is in response to a report printed by Optimistic Applied sciences, which discovered the risk actors to be leveraging an exploit chain comprising three vulnerabilities to execute instructions remotely on inclined servers.
“Even though there are not any exploits for this chain of vulnerability in public entry, attackers from PhantomCore managed to conduct their analysis and reproduce vulnerabilities, which led to numerous instances of its operation in Russian organizations,” researchers Daniil Grigoryan and Georgy Khandozhko mentioned.
PhantomCore, additionally known as Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901, is the title assigned to a politically- and financially-motivated hacking crew that has been energetic since 2022 following the Russo-Ukrainian struggle. Attacks mounted by the group are identified to steal delicate knowledge and disrupt goal networks, in some instances even deploying ransomware based mostly on the leaked supply code of Babuk and LockBit.
“The group runs large-scale operations whereas sustaining sturdy stealth — remaining invisible in sufferer networks for prolonged durations — enabled by continuous updates and evolution of in-house offensive instruments,” the corporate famous again in September 2025.
The TrueConf Server vulnerabilities exploited within the assaults are listed under –
- BDU:2025-10114 (CVSS rating: 7.5) – An inadequate entry management vulnerability that might permit an attacker to make requests to sure administrative endpoints (/admin/*) with out authentication.
- BDU:2025-10115 (CVSS rating: 7.5) – A vulnerability that might permit an attacker to learn arbitrary information on the system.
- BDU-2025-10116 (CVSS rating: 9.8) – A command injection vulnerability that might permit an attacker to execute arbitrary working system instructions.
Profitable exploitation of the three vulnerabilities may allow an attacker to bypass authentication and achieve entry to the group’s community. Though security patches to deal with the problems have been launched by TrueConf on August 27, 2025, the primary assaults geared toward TrueConf servers have been detected round mid-September 2025, per Optimistic Applied sciences.
Within the assaults noticed by the Russian security vendor, the compromise of the TrueConf Server enabled the risk actors to make use of it as a springboard to maneuver laterally throughout the interior community and drop malicious payloads to facilitate reconnaissance, protection evasion, and credential harvesting, in addition to arrange communication channels utilizing tunneling utilities.
A minimum of one such profitable compromise is alleged to have led to the deployment of a PHP-based internet shell that is able to importing information to the contaminated host and executing distant instructions, together with a PHP file that capabilities as a proxy server to disguise malicious requests as coming from a respectable server.
Among the different instruments delivered as a part of the assault are as follows –
- PhantomPxPigeon, a malicious TrueConf video conferencing shopper that implements a reverse shell to connect with a distant server and obtain duties for subsequent execution, permitting it to run instructions, launch executables, and permit site visitors to be proxied via the aforementioned internet shell
- PhantomSscp (DLL), MacTunnelRat (PowerShell), PhantomProxyLite (PowerShell), for establishing a foothold in a breached setting through a reverse SSH tunnel
- ADRecon, for reconnaissance
- Veeam-Get-Creds, a modified model of the PowerShell script to get well passwords associated to the Veeam Backup & Replication software program
- DumpIt and MemProcFS, for credential harvesting
- Home windows Distant Administration (WinRM) and Distant Desktop Protocol (RDP), for lateral motion inside the community perimeter
- Velociraptor, for distant entry
- microsocks, rsocx, and tsocks, for controlling compromised hosts from attacker-controlled infrastructure utilizing a SOCKS proxy
Choose intrusions have utilized a DLL to create a rogue person named “TrueConf2” with administrative privileges on a compromised video conferencing server.
PhantomCore’s assault chains have additionally been discovered to make use of phishing lures for preliminary entry to Russian organizations as lately as January and February 2026, utilizing crafted ZIP or RAR archives to distribute a backdoor that may run distant instructions on the host and serve arbitrary payloads.
“The PhantomCore group is likely one of the most energetic teams within the Russian risk panorama,” the researchers concluded. “Its arsenal consists of each publicly out there instruments (Velociraptor, Memprocfs, Dokan, DumpIt) and proprietary instruments (MacTunnelRAT, PhantomSscp, PhantomProxyLite). The group targets authorities and personal organizations throughout a variety of industries.”
“PhantomCore actively searches for vulnerabilities in home software program, develops exploits, and thereby positive factors the flexibility to infiltrate numerous Russian firms.”
In latest months, industrial and aviation sectors in Russia have been focused by phishing campaigns orchestrated by a financially motivated group named CapFIX to deploy a backdoor dubbed CapDoor that may run PowerShell instructions, DLLs, and executables retrieved from a distant server, set up MSI information, and take screenshots. The moniker CapFIX is a reference to the truth that CapDoor was first found in 2025, distributed utilizing the ClickFix social engineering tactic.
A deeper evaluation of the risk actor’s campaigns in October and November 2025 has uncovered the risk actor’s use of ClickFix to deploy off-the-shelf malware households like AsyncRAT and SectopRAT.
“Whereas the group beforehand relied on financially themed phishing emails (cryptocurrency and something money-related), they’re now more and more masking their emails as official communications from authorities companies,” Optimistic Applied sciences mentioned.
PhantomCore and CapFIX are amongst a rising checklist of risk exercise clusters which have mounted assaults towards Russian entities. Among the different outstanding teams embody –
- Geo Likho, which has primarily focused aviation and delivery sectors in Russia and Belarus since July 2024, utilizing phishing assaults that ship information-stealing malware. Remoted infections have additionally been detected in Germany, Serbia, and Hong Kong, and are suspected to be unintentional.
- Mythic Likho, which makes use of phishing lures through e mail to ship loaders like HuLoader, Merlin (a Mythic agent), or ReflectPulse which might be designed to unpack the ultimate payload, a backdoor known as Loki that is a Mythic-compatible model of an agent designed for the Havoc post-exploitation framework. Proof has indicated that the group shares ties with one other group referred to as ExCobalt, owing to the usage of the latter’s proprietary rootkit, Megatsune.
- Paper Werewolf (aka GOFFEE), which has used a devoted Telegram channel to distribute a trojan known as EchoGather underneath the guise of a device so as to add Starlink units to an exception checklist, along with sharing hyperlinks to phishing pages which might be designed to reap victims’ Telegram account credentials. The group has additionally been noticed utilizing a bogus web site promoting a drone pilot simulator to drop EchoGather.
- Versatile Werewolf (aka HeartlessSoul), which has used faux web sites (“stardebug[.]app”) to distribute faux MSI installers for Star Debug, an alternate device to handle Starlink units, to deploy the Sliver submit‑exploitation framework. One other web site tied to the risk actor (“alphafly-drones[.]com”) has used rogue drone simulator apps to seemingly drop SoullessRAT, a Home windows trojan that may run instructions, add information, seize screenshots, and execute binaries.
- Eagle Werewolf, a beforehand undocumented risk group that has compromised drone‑targeted Telegram channels to distribute AquilaRAT through a Rust dropper that masquerades as a guidelines for Starlink system activation. A Rust-based trojan, AquilaRAT, can carry out file operations and run instructions.
“Regardless of sharing a standard purpose and using related methods, the clusters operated autonomously, displaying no proof of direct coordination,” Russian cybersecurity firm BI.ZONE mentioned.
“Along with malware distribution, Paper Werewolf hijacks Telegram accounts. The cluster seemingly makes use of them as trusted channels to help future assaults. Versatile Werewolf leverages generative AI to develop instruments used of their assaults, accelerating the event course of.”
