PHANTOMCORE , a pro‑Ukrainian hacktivist group, has been attributed to attacks on Russian servers running TrueConf video conferencing software since September 2025, according to Positive Technologies. The firm reports that the threat actors leveraged an exploit chain of three vulnerabilities to execute remote commands on susceptible servers, enabling bypass of authentication and unauthorised access to networks.
The three TrueConf Server flaws are BDU:2025-10114 (CVSS 7.5) enabling unauthenticated requests to admin endpoints, BDU:2025-10115 (CVSS 7.5) allowing reading of arbitrary files, and BDU-2025-10116 (CVSS 9.8) a command‑injection flaw. Patches addressing the issues were released by TrueConf on 27 August 2025, with first attacks on TrueConf servers detected around mid‑September 2025.
In observed intrusions, the compromised TrueConf Server was used as a springboard for lateral movement and to drop payloads for reconnaissance, defence evasion, and credential harvesting, including a PHP web shell capable of remote command execution. Positive Technologies notes that some intrusions involved phishing lures in January and February 2026, distributing a backdoor via crafted ZIP or RAR archives.