Full Report
A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible
Analysis Summary
# Incident Report: PhantomCore Exploitation of TrueConf Vulnerabilities
## Executive Summary
A pro-Ukrainian hacktivist group known as PhantomCore (aka Head Mare) has been actively targeting Russian organizations by exploiting a chain of three vulnerabilities in TrueConf video conferencing software. Since September 2025, the group has successfully bypassed authentication to execute remote commands, move laterally through networks, and deploy custom backdoors and credential-harvesting tools. The campaign demonstrates high technical sophistication, as the group independently developed an exploit chain for which no public proof-of-concept exists.
## Incident Details
- **Discovery Date:** September 2025
- **Incident Date:** Ongoing since September 2025 (Initial software patches released August 27, 2025)
- **Affected Organization:** Multiple undisclosed Russian organizations
- **Sector:** Various (Large-scale targeting)
- **Geography:** Russia
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-September 2025
- **Vector:** Exploitation of TrueConf Server vulnerabilities.
- **Details:** Attackers leveraged a chain of three zero-day/n-day vulnerabilities: BDU:2025-10114 (Authentication Bypass), BDU:2025-10115 (Arbitrary File Read), and BDU-2025-10116 (Command Injection) to gain remote code execution (RCE).
### Lateral Movement
- **Details:** Following the compromise of the TrueConf server, the group used it as a "springboard." They utilized tunneling utilities (PhantomProxyLite, MacTunnelRat) and reverse SSH tunnels to navigate the internal network.
### Data Exfiltration/Impact
- **Details:** Large-scale theft of sensitive data and deployment of disruptive payloads. In some instances, the group has been known to deploy ransomware based on Babuk and LockBit source code to disrupt target operations.
### Detection & Response
- **How it was discovered:** Research and threat hunting conducted by Positive Technologies (PT ESC).
- **Response actions taken:** TrueConf released patches on August 27, 2025; however, many organizations failed to update before the September attacks began.
## Attack Methodology
- **Initial Access:** Exploit chain targeting TrueConf administrative endpoints (/admin/*).
- **Persistence:** Implementation of reverse shells (PhantomPxPigeon) and reverse SSH tunnels via PowerShell and DLLs.
- **Privilege Escalation:** Command injection via BDU-2025-10116.
- **Defense Evasion:** Use of PHP-based proxy files to disguise malicious traffic as legitimate server requests and continual updates to in-house offensive tools.
- **Credential Access:** Utilization of "Veeam-Get-Creds" (modified PowerShell script) to harvest credentials.
- **Discovery:** ADRecon for Active Directory reconnaissance.
- **Lateral Movement:** Tunneling via PhantomProxyLite and MacTunnelRat.
- **Collection:** Automated sensitive data identification and collection.
- **Exfiltration:** Communication through established reverse shells and tunnels.
- **Impact:** System disruption, data theft, and potential ransomware deployment.
## Impact Assessment
- **Financial:** Potential major impact due to ransomware and operational downtime.
- **Data Breach:** Extensive; targets sensitive organizational data.
- **Operational:** Critical; disruption of video conferencing services and internal network availability.
- **Reputational:** High; demonstrates vulnerability in widely used Russian domestic software.
## Indicators of Compromise
- **Network indicators:**
- Unauthorized access requests to `/admin/*` endpoints.
- Reverse SSH tunnel traffic to external C2.
- **File indicators:**
- `PhantomPxPigeon` (Malicious TrueConf client)
- `PhantomSscp` (DLL)
- `MacTunnelRat` (PowerShell)
- `ADRecon.ps1`
- **Behavioral indicators:**
- Deployment of PHP web shells on video conferencing servers.
- Execution of `Veeam-Get-Creds` scripts.
## Response Actions
- **Containment:** Isolation of affected TrueConf servers from the internal network.
- **Eradication:** Patching TrueConf software to the latest version; removal of malicious PHP shells and internal tunnels.
- **Recovery:** Restoration of services from clean backups and mandatory credential resets for all harvested accounts (notably Veeam).
## Lessons Learned
- **Patch Management:** Organizations failed to apply critical patches within the three-week window between the patch release (August 27) and the start of the campaign (mid-September).
- **In-House Exploitation:** Hacktivist groups are moving beyond simple DDoS and public exploits to performing independent vulnerability research and exploit development.
## Recommendations
- **Immediate Patching:** Ensure TrueConf Server is updated to address BDU:2025-10114, 10115, and 10116.
- **Network Segmentation:** Isolate video conferencing servers in a DMZ to prevent them from being used as lateral movement springboards.
- **Monitoring:** Implement logging and alerts for suspicious PowerShell execution and unauthorized access attempts to administrative web directories.