A pro-Ukrainian hacktivist group known as PhantomCore has been exploiting vulnerabilities in TrueConf video conferencing software to infiltrate Russian networks since September 2025. According to a Positive Technologies report, the attackers chained three undisclosed flaws in TrueConf Server, allowing them to bypass authentication, read sensitive files, and execute arbitrary commands remotely. Despite patches being released by TrueConf on August 27, 2025, the group independently reverse-engineered these issues, launching widespread attacks on Russian organizations without relying on public exploits.
The vulnerabilities include BDU:2025-10114 (CVSS 7.5), an insufficient access control flaw enabling unauthenticated requests to admin endpoints like /admin/*; BDU:2025-10115 (CVSS 7.5), which permits arbitrary file reads; and the critical BDU:2025-10116 (CVSS 9.8), a command injection vulnerability for full OS command execution. This exploit chain grants attackers initial foothold on vulnerable servers, facilitating lateral movement and persistence within victim environments.
PhantomCore's operations highlight their sophistication, as they maintain stealth for extended periods—up to 78 days in some cases—while targeting sectors like government, defense, and manufacturing.
PhantomCore's tactics extend beyond TrueConf exploits, incorporating phishing with password-protected RAR archives containing PhantomRAT malware, a shift from earlier ZIP-based methods. Positive Technologies noted over 180 infections from May to July 2025 alone, peaking on June 30, with at least 49 hosts still under attacker control as of early 2026. The group's pro-Ukrainian affiliation aligns with geopolitical motives, focusing exclusively on Russian entities amid ongoing cyber-espionage waves.
Organizations running TrueConf face heightened risks if unpatched, as attackers evolve tools to evade detection and conduct large-scale breaches. Immediate mitigations include applying the August 2025 patches, monitoring admin endpoints and command logs for anomalies, and segmenting video conferencing servers from core networks. Enhanced defenses against lateral movement, such as network micro-segmentation and behavioral analytics, are crucial to counter PhantomCore's persistence.
This campaign underscores the dangers of unpatched collaboration tools in sensitive environments, where private zero-days can fuel nation-aligned hacktivism. Russian firms must prioritize vulnerability management and threat hunting, as PhantomCore's adaptability signals ongoing threats into 2026. By staying vigilant, defenders can disrupt such stealthy intrusions before they escalate to data exfiltration or sabotage.