Skip to main content
Emerging ThreatsMalware & Ransomware

PhantomCore Exploits TrueConf Flaws to Breach Russian Networks

Empty Russian office network room with rows of computer servers and networking equipment.

"Despite the fact that there are no exploits for this chain of vulnerability in public access, attackers from PhantomCore managed to conduct their research and reproduce vulnerabilities, which led to a large number of cases of its operation in Russian organizations," researchers Daniil Grigoryan and Georgy Khandozhko said.

BDU:2025-10114, BDU:2025-10115 and BDU-2025-10116—what was exploited

Positive Technologies' analysis shows PhantomCore used an exploit chain of three vulnerabilities in TrueConf Server to breach Russian networks. The vendor-assigned faults are BDU:2025-10114 (CVSS 7.5), an insufficient access control flaw allowing unauthenticated requests to /admin/* endpoints; BDU:2025-10115 (CVSS 7.5), which permits reading arbitrary files; and BDU-2025-10116 (CVSS 9.8), a command-injection vulnerability that allows execution of arbitrary operating-system commands. TrueConf released security patches for these issues on August 27, 2025, yet Positive Technologies detected the first attacks against TrueConf servers in mid-September 2025.

PhantomCore (aka Fairy Trickster / Head Mare / Rainbow Hyena / UNG0901): operations and motives

Positive Technologies attributes the operations to PhantomCore, a crew the report describes as politically- and financially-motivated and active since 2022 following the Russo-Ukrainian war. The company said the group "runs large-scale operations while maintaining strong stealth — remaining invisible in victim networks for extended periods — enabled by continual updates and evolution of in-house offensive tools."

The report also noted PhantomCore "actively searches for vulnerabilities in domestic software, develops exploits, and thereby gains the ability to infiltrate a large number of Russian companies." Their activities, according to Positive Technologies, have included data theft, network disruption and, in some cases, deployment of ransomware based on leaked Babuk and LockBit code.

Observed attack chain and the toolset dropped in breaches

In the intrusion patterns documented by Positive Technologies, a compromised TrueConf Server acted as a beachhead for lateral movement and payload delivery. The vendor observed attacks that dropped a PHP web shell capable of uploading files and executing remote commands, plus a PHP proxy file to disguise malicious requests as if they originated from a legitimate server.

  • PhantomPxPigeon — a malicious TrueConf client implementing a reverse shell to receive tasks, run commands and proxy traffic through the web shell.
  • PhantomSscp (DLL), MacTunnelRat (PowerShell), PhantomProxyLite (PowerShell) — utilities to establish reverse SSH tunnels and maintain a foothold.
  • ADRecon for reconnaissance; Veeam-Get-Creds, a modified PowerShell script to recover Veeam Backup & Replication passwords.
  • DumpIt and MemProcFS for credential harvesting; Velociraptor for remote access.
  • Use of Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP) for lateral movement.
  • microsocks, rsocx and tsocks to control compromised hosts via SOCKS proxies.

Positive Technologies reported some intrusions used a DLL to create a rogue user named "TrueConf2" with administrative privileges on an infected video‑conferencing server. The company also observed PhantomCore using phishing lures as late as January and February 2026, distributing backdoors in crafted ZIP or RAR archives that can run remote commands and serve arbitrary payloads.

CapFIX, ClickFix and other clusters targeting Russian aviation and industrial sectors

The TrueConf incidents sit alongside other campaigns the security firm documented. A financially-motivated group dubbed CapFIX has mounted phishing campaigns in recent months against industrial and aviation sectors in Russia to deploy a backdoor named CapDoor, which can run PowerShell commands, DLLs and executables retrieved from a remote server, install MSI files and take screenshots. Positive Technologies said CapDoor was first discovered in 2025 and that the CapFIX name references the ClickFix social-engineering tactic used to distribute it.

The company also cataloged other active clusters: Geo Likho targeting aviation and shipping since July 2024; Mythic Likho using loaders such as HuLoader and Merlin to deliver a Loki backdoor; Paper Werewolf (aka GOFFEE) distributing EchoGather through a Telegram channel and fake Starlink tools; Versatile Werewolf (aka HeartlessSoul) deploying the Sliver framework and SoullessRAT via fake Star Debug installers; and Eagle Werewolf spreading AquilaRAT via Rust droppers. BI.ZONE told Positive Technologies the clusters operate autonomously despite sharing techniques and goals.

What this means for technologists, procurement leaders, and regulators

  • Technologists and security teams: Expect exploitation timelines where patches are available but attackers move quickly — Positive Technologies documented breaches after the August 27, 2025 patch release — and hunt for indicators tied to the PHP shells, PhantomPxPigeon, and reverse-tunneling utilities named in the report.
  • Procurement and software-owners: The report highlights risk from "domestic software" vulnerabilities and the need to prioritize timely patching and vulnerability discovery, since PhantomCore "actively searches for vulnerabilities in domestic software, develops exploits" and leverages them broadly.
  • Regulators and critical-infrastructure overseers: The mix of espionage, credential theft and ransomware in the observed campaigns — and targeting of aviation and industrial sectors by other groups — suggests oversight should focus on patch management, supply‑chain hygiene, and monitoring for novel tunneling and proxying behavior.

Positive Technologies' findings paint PhantomCore as a flexible, persistent operator able to turn a video‑conferencing server into a pivot point for broad network compromise. The combination of a high-severity command‑injection hole (BDU-2025-10116), post‑patch exploitation observed in mid-September 2025, and ongoing phishing into early 2026 raises a pointed question for defenders: when a widely deployed collaboration service is weaponized, how quickly can organizations detect and evict a team that "remains invisible in victim networks for extended periods"?

Original story