PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging a

# PhantomCore Exploits Critical TrueConf Vulnerabilities in Sustained Campaign Against Russian Networks

A pro-Ukrainian hacktivist collective known as PhantomCore has been conducting active cyberattacks against servers running TrueConf video conferencing software across Russia since September 2025, according to security research published by Positive Technologies. The campaign leverages a sophisticated exploit chain combining three distinct vulnerabilities to achieve unauthenticated remote command execution on affected systems—a critical capability that poses significant risks to organizational security.

## The Threat

PhantomCore's operational tempo has accelerated significantly over the past months, with attackers systematically probing Russian networks for vulnerable TrueConf installations and exploiting them with high precision. The threat actors employ an automated exploit chain that chains together multiple CVEs, allowing them to bypass authentication mechanisms and execute arbitrary commands on vulnerable servers without requiring valid user credentials.

The campaign represents a notable shift in hacktivist tactics, moving beyond traditional defacement or denial-of-service attacks toward sustained network penetration. Security researchers tracking PhantomCore noted that the group maintains persistent access to compromised infrastructure, enabling:

Data exfiltration from video conferencing repositories

Network reconnaissance for lateral movement opportunities

Credential harvesting from connected systems

Infrastructure reconnaissance for future attack planning

Positive Technologies' threat intelligence team confirmed that PhantomCore actively monitors for newly patched TrueConf installations and targets unpatched systems with exploit code distributed through underground forums and direct command-and-control channels.

## Background and Context

TrueConf is a Russian-developed unified communications platform widely deployed across Eastern Europe, Central Asia, and Russia. The software provides video conferencing, instant messaging, and file-sharing capabilities with particular penetration in government agencies, financial institutions, and enterprise networks throughout Russia and former Soviet states.

PhantomCore emerged as an organized hacktivist entity in late 2024, initially attributing its operations to anti-Kremlin activism and support for Ukrainian cybersecurity initiatives. Intelligence analysts assess the group as loosely affiliated but coordinated, operating with sufficient technical sophistication to develop and weaponize zero-day exploits or rapidly adapt public vulnerabilities into working attack tools.

The geopolitical context is crucial: The targeting of Russian infrastructure and communications platforms aligns with broader patterns of state-sponsored and hacktivist-driven cyberconflict between Russia and Western/Ukrainian actors. However, researchers emphasize that PhantomCore operates independently of formal state cyber operations, though motivations clearly overlap with Ukrainian national interests.

Previous PhantomCore campaigns have targeted:

Russian telecommunications infrastructure

Financial institutions with Kremlin ties

Military-adjacent logistics networks

Government administrative systems

This latest campaign against TrueConf represents an escalation in targeting civilian communications infrastructure used by both public and private organizations.

## Technical Details

The exploit chain weaponizes three separate vulnerabilities in TrueConf to achieve remote code execution. While Positive Technologies redacted specific CVE identifiers pending patch availability, the vulnerability sequence follows a common pattern in video conferencing exploitation:

Stage 1: Authentication Bypass

The first vulnerability allows attackers to circumvent TrueConf's authentication mechanisms without valid credentials. Researchers confirmed this involves an improper validation flaw in the login handling routine, potentially through:

Malformed authentication tokens

Improper session validation logic

Insufficient input sanitization on authentication endpoints

Stage 2: Privilege Escalation

The second vulnerability exploits insufficient access controls within the TrueConf application layer. Once initial access is obtained, attackers leverage this flaw to escalate privileges from low-integrity processes to administrative access levels within the application context.

Stage 3: Remote Code Execution

The third vulnerability enables arbitrary command execution on the underlying operating system. This typically involves:

Unsafe file handling routines

Insufficient validation of user-controlled input passed to system calls

Improper sandboxing of application processes

Positive Technologies' analysis confirmed that the exploit chain requires no user interaction and can be automated completely. Attack traffic shows PhantomCore using Python-based automation frameworks to:

1. Scan for exposed TrueConf instances using common port signatures (typically TCP 443, 5060-5061)

2. Probe authentication endpoints for the first vulnerability

3. Chain exploits automatically once initial access confirms vulnerability presence

4. Execute post-exploitation commands for reconnaissance and persistence

The group employs rotating proxy infrastructure primarily sourced from compromised devices in Eastern European countries, making attribution and blocking challenging for network defenders.

## Organizational Impact and Risk Assessment

Organizations running TrueConf face immediate and material risk from this active, weaponized campaign. The combination of unauthenticated remote code execution and PhantomCore's demonstrated persistence capabilities creates a critical threat posture for affected systems.

Key risks include:

| Risk Category | Impact | Likelihood |

|---|---|---|

| Credential Compromise | Harvesting of authentication materials stored on TrueConf servers | High |

| Lateral Movement | Using TrueConf servers as pivots to access adjacent network segments | High |

| Communications Interception | Decryption or redirection of video/voice/messaging traffic | Medium |

| Malware Deployment | Installation of persistent backdoors or data-stealing malware | High |

| Operational Disruption | Service interruption or degradation affecting business continuity | Medium |

Organizations in Russia, Eastern Europe, and any entity with Russian-based TrueConf deployments should assess their exposure immediately. While PhantomCore's stated motivations target Russian interests, the compromised servers could be used as staging infrastructure for broader attacks.

## Recommendations

Immediate Actions (24-48 hours):

Identify all TrueConf instances in your environment, including development and legacy systems

Isolate vulnerable TrueConf servers behind additional network segmentation if immediate patching is not possible

Enable enhanced logging on authentication attempts and system commands

Review access logs for any suspicious authentication patterns or failed login attempts from unfamiliar sources

Contact your TrueConf vendor for patch availability timeline and interim mitigation guidance

Short-term Mitigations (1-2 weeks):

Apply all available security patches from TrueConf immediately upon release

Disable unnecessary services and features on TrueConf servers

Implement network-level protections including Web Application Firewalls (WAF) specifically tuned for video conferencing protocols

Enforce multi-factor authentication on all TrueConf administrative accounts

Establish baseline network monitoring specifically for TrueConf-related traffic anomalies

Long-term Security Posture:

Evaluate alternative platforms less vulnerable to coordinated exploit campaigns

Implement zero-trust network architecture to limit lateral movement from compromised systems

Maintain current patch cadence with vendor security bulletins

Conduct tabletop exercises for breach response procedures specific to communications infrastructure compromise

Organizations should treat this threat with urgency equivalent to critical infrastructure vulnerabilities. The active, automated nature of PhantomCore's campaign means unpatched systems face exploitation within days of report publication.