PhantomCore Exploits Unpatched TrueConf Flaws to Breach Russian Networks Since Sept 2025

PhantomCore, a politically and financially motivated threat actor, has actively targeted Russian organizations since 2022. This group, also known as Fairy Trickster, focuses on data theft and network disruption, sometimes deploying ransomware. Their operations are known for stealth and continuous tool evolution.

Since mid-September 2025, PhantomCore has leveraged a chain of three previously unpatched vulnerabilities in TrueConf Server, a video conferencing platform. The most critical flaw, BDU:2025-10116, is a command injection vulnerability with a CVSS (Common Vulnerability Scoring System) score of 9.8. This high-severity rating indicates the flaw enables attackers to execute arbitrary operating system commands on affected servers.

Upon compromising a TrueConf Server, PhantomCore uses it as an initial access point to move laterally across internal networks. The group deploys various tools for reconnaissance, defense evasion, and credential harvesting. These include PHP-based web shells—malicious scripts that allow remote command execution and file uploads—and custom reverse shell clients like PhantomPxPigeon.

Organizations operating TrueConf Server must immediately apply all available security updates, particularly those released on August 27, 2025, addressing BDU:2025-10114, BDU:2025-10115, and BDU:2025-10116. Network segmentation for critical servers can limit lateral movement post-compromise. Implement robust endpoint detection and response (EDR) solutions to identify anomalous processes and unauthorized user creations, such as the "TrueConf2" account. Regular security audits and vulnerability scanning remain essential practices.