A pro Ukrainian hacktivist group known as PhantomCore has been linked to a series of cyberattacks targeting servers running TrueConf video conferencing software across Russia since September 2025. Security researchers report that the campaign involves a carefully built exploitation chain that allows remote command execution and deep network infiltration.
Exploitation of TrueConf Security Flaws
According to research published by Positive Technologies, attackers used a combination of three vulnerabilities in TrueConf Server systems to gain unauthorized access.
The identified vulnerabilities include:
- BDU 2025 10114, an access control weakness allowing unauthenticated access to administrative endpoints
- BDU 2025 10115, a flaw enabling attackers to read sensitive system files
- BDU 2025 10116, a critical command injection vulnerability allowing execution of operating system commands
Although patches were released in August 2025, attackers began exploiting these weaknesses shortly after in September 2025.
PhantomCore Threat Profile
PhantomCore, also known by multiple aliases such as Fairy Trickster and Rainbow Hyena, is a politically and financially motivated hacking group active since 2022 following the Russia Ukraine conflict.
The group is known for:
- Long term stealth operations inside compromised networks
- Continuous development of custom hacking tools
- Data theft and network disruption activities
- Occasional deployment of ransomware derived from Babuk and LockBit source leaks
Attack Execution and Lateral Movement
Once inside a network, attackers used compromised TrueConf servers as a launch point for deeper intrusion.
Their activities included:
- Expanding access across internal systems
- Deploying malicious payloads for reconnaissance and credential theft
- Establishing hidden communication channels using tunneling tools
In one confirmed case, attackers deployed a PHP based web shell capable of executing remote commands and uploading files. They also used a proxy script to disguise malicious traffic as legitimate server activity.
Malware and Tools Used in the Campaign
The attack chain included a combination of custom built tools and publicly available utilities.
Key tools included:
- PhantomPxPigeon, a modified conferencing client enabling reverse shell access and remote command execution
- PhantomSscp, MacTunnelRat, and PhantomProxyLite, used for persistence via reverse SSH tunnels
- ADRecon, used for network reconnaissance
- Veeam Get Creds, used to extract backup related credentials
- DumpIt and MemProcFS, used for memory and credential extraction
- Velociraptor, used for remote monitoring and access
- WinRM and RDP, used for lateral movement
Attackers also created a rogue administrator account named TrueConf2 to maintain long term access.
Phishing Based Entry and Expansion
More recent attacks observed in early 2026 show that PhantomCore is also using phishing campaigns.
These campaigns rely on:
- Malicious ZIP and RAR attachments
- Backdoors capable of executing remote commands
- Payload delivery systems for additional malware deployment
CapFIX and Expanding Threat Landscape
Alongside PhantomCore, another group known as CapFIX has been targeting Russian industrial and aviation sectors.
Their malware, CapDoor, is capable of:
- Executing PowerShell commands
- Running DLL files and executables
- Installing MSI packages
- Capturing screenshots from infected systems
Recent campaigns also show the use of social engineering techniques known as ClickFix to distribute malware families such as AsyncRAT and SectopRAT.
Other Active Cyber Threat Groups
Several additional threat clusters are also active in the region, including:
- Geo Likho, targeting aviation and shipping sectors with information stealing malware
- Mythic Likho, distributing loaders and backdoors linked to the Mythic framework
- Paper Werewolf, using Telegram channels to spread trojans and phishing links
- Versatile Werewolf, using fake software sites to deploy advanced post exploitation tools
- Eagle Werewolf, distributing Rust based remote access trojans through compromised channels
Researchers note that these groups operate independently despite using similar tactics.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
