In recent developments, a pro-Ukrainian hacktivist coalition known as PhantomCore has been implicated in systematic cyberattacks specifically targeting servers running TrueConf’s video conferencing software in Russia. According to a report by Positive Technologies, this assault on Russian networks has been ongoing since September 2025, and it showcases the sophisticated methodology employed by this group.
Researchers Daniil Grigoryan and Georgy Khandozhko noted that PhantomCore has crafted an elaborate exploit chain made up of three distinct vulnerabilities. These vulnerabilities enable the attackers to execute commands remotely on the compromised servers. Remarkably, even though these exploits were not available in the public domain, PhantomCore succeeded in researching and reproducing the vulnerabilities. This led to extensive operational success within various Russian organizations.
The moniker PhantomCore encompasses several aliases, including Fairy Trickster, Head Mare, Rainbow Hyena, and UNG0901. This group has been active since 2022, primarily motivated by political and financial goals amid the backdrop of the Russo-Ukrainian conflict. The types of operations carried out by PhantomCore vary, ranging from stealing sensitive data to disrupting networks, often deploying ransomware derived from the leaked codebases of Babuk and LockBit.
Moreover, Positive Technologies indicated that PhantomCore is characterized by its large-scale and highly stealthy operations. The group excels at remaining undetected within victim networks for extended periods, thanks in part to its continuous evolution and refinement of proprietary offensive tools.
The vulnerabilities exploited within the TrueConf servers have specific identifiers. For instance, BDU:2025-10114 represents an insufficient access control flaw that allows unauthorized requests to administrative endpoints. Meanwhile, BDU:2025-10115 permits attackers to read arbitrary files on the system, and BDU-2025-10116 enables command injection, allowing attackers to execute random operating system commands.
These vulnerabilities, crucial for unlocking access to the internal networks of targeted organizations, were addressed through security patches released by TrueConf on August 27, 2025. However, the first attacks leveraging these vulnerabilities were detected just weeks later, in mid-September. The breach of the TrueConf Server environment enabled PhantomCore to leverage this point of entry for lateral movement within organizational networks, deploying various malicious payloads. These payloads facilitated reconnaissance, evaded potential defenses, and enabled credential harvesting, all while establishing communication channels through tunneling utilities.
Reports suggest that at least one successful attack led to the deployment of a PHP-based web shell on the compromised servers. This shell facilitated file uploads and remote command execution, alongside a proxy server that disguised malicious requests as legitimate server traffic.
A range of tools was reportedly utilized in these cyberattacks. Notably, PhantomPxPigeon, a rogue TrueConf client, allowed attackers to run commands and execute remote tasks effectively. Other tools included PhantomSscp for Command and Control (C2) capabilities, MacTunnelRat, and PhantomProxyLite for establishing secure footholds within breached environments. Additionally, reconnaissance tools like ADRecon were employed alongside credential harvesting utilities like DumpIt and MemProcFS.
PhantomCore’s tactics have also evolved; for instance, they have deployed phishing campaigns using crafted ZIP or RAR archives that serve to deliver backdoors executing remote commands. This indicates a shift in their initial access strategies, staying attuned to the risks and security measures within Russian organizations.
In terms of the broader cyber threat landscape in Russia, PhantomCore isn’t alone. The report identified other active hacking groups that have intensified their attacks, notably targeting government and corporate entities. CapFIX is one such financially motivated group accused of conducting phishing campaigns since January and February 2026, deploying a backdoor called CapDoor capable of executing various commands and retrieving sensitive data.
Security experts have observed a surge in phishing tactics within the context of these cyber warfare dynamics. Unique groups such as Geo Likho and Mythic Likho have manipulated email phishing strategies to inflict damage on critical sectors like aviation and shipping. These groups have also demonstrated an ability to evolve their tactics, such as using utilities to distribute malware while masquerading as official communication from government agencies.
Ultimately, the implications of these ongoing cyber conflicts are extensive, as the threat landscape continues to evolve rapidly. The fragmented yet potent approach taken by PhantomCore and its contemporaries illustrates how diverse techniques and technologies are being harnessed to achieve smart urban warfare objectives through digital means. The ramifications for both the cybersecurity framework in Russia and the broader geopolitical climate warrant close attention as these developments unfold.