PhantomCore Hackers Exploit Unpatched TrueConf Flaws to Infiltrate Russian Networks

Context Cybersecurity researchers recently identified a persistent campaign by PhantomCore targeting organizations using TrueConf video conferencing software in Russia. Active since 2022, PhantomCore is known for politically and financially motivated operations that include data theft, network disruption, and ransomware deployment. This group consistently develops proprietary tools and techniques, enabling long periods of undetected presence within victim networks.

Key Facts The group exploited an exploit chain comprising three specific vulnerabilities: BDU:2025-10114 (CVSS 7.5), BDU:2025-10115 (CVSS 7.5), and BDU-2025-10116 (CVSS 9.8). These flaws allowed attackers to bypass authentication and execute arbitrary commands on vulnerable TrueConf servers. Researchers noted that PhantomCore reproduced this vulnerability chain and developed exploits despite no public exploits being available, leading to numerous successful intrusions into Russian organizations. TrueConf released patches for these issues on August 27, 2025; however, PhantomCore's attacks commenced approximately three weeks later in mid-September 2025, targeting unpatched systems.

What It Means Successful exploitation provided PhantomCore with initial access, transforming the compromised TrueConf server into a pivot point for broader network infiltration. Threat actors moved laterally across internal networks, dropping specialized payloads for reconnaissance, defense evasion, and credential harvesting. Tools deployed included a PHP-based web shell, a malicious TrueConf client named PhantomPxPigeon for reverse shell capabilities, and utilities like MacTunnelRat for establishing persistent SSH tunnels. In some incidents, the group created rogue administrative users, such as "TrueConf2," to maintain access. These tactics highlight a sophisticated capability to exploit enterprise collaboration tools for widespread compromise.

Mitigations Organizations using TrueConf Server must immediately apply all available patches, specifically those released on August 27, 2025, to address BDU:2025-10114, BDU:2025-10115, and BDU-2025-10116. Implement network segmentation to limit the blast radius of compromised systems and deploy robust endpoint detection and response (EDR) solutions to monitor for post-exploitation activities. Regularly audit user accounts for unauthorized administrative privileges and monitor network traffic for indicators of compromise related to lateral movement or command-and-control communication. Organizations should also strengthen authentication mechanisms for all collaboration platforms. The continued activity of groups like PhantomCore underscores the ongoing need for rigorous vulnerability management and proactive threat hunting, particularly for publicly exposed services.