PhantomCore Exploits TrueConf Flaws to Target Russian Networks

A pro‑Ukrainian hacktivist collective known as PhantomCore has been conducting aggressive intrusions against Russian organizations since September 2025, focusing on servers that run TrueConf video‑conferencing software. The group’s activity was first documented by threat‑intelligence firm CyberArms in early October, after forensic analysis of a compromised enterprise deployment uncovered a novel exploit chain leveraging a command‑injection flaw in TrueConf’s administrative interface.

The vulnerability, tracked as CVE‑2025‑38471, resides in the /api/v1/system/command endpoint of TrueConf Server and Enterprise editions prior to version 9.5.2. By sending a specially crafted POST request with an OS‑level payload, the attackers achieve remote code execution without authentication. Once on the host, PhantomCore deploys a custom backdoor named ‘PhantomShell,’ which persists via a scheduled task and beacons out to a command‑and‑control (C2) domain registered in early 2025. The implant harvests credentials, SIP configuration files, and meeting‑metadata, exfiltrating the data over HTTPS to an IP address located in a Baltic cloud provider.

The campaign’s impact has been measured across multiple Russian ministries and a defense‑contractor network, where over 200 TrueConf instances were identified as vulnerable. Logs indicate that the group accessed internal video‑conferencing streams, captured screen‑share recordings, and moved laterally into adjacent file‑share servers using harvested SSH keys. TrueConf released an emergency patch (v9.5.2) on 15 September 2025, but researchers warn that unpatched installations remain active, especially in air‑gapped environments where automated updates are disabled.

Security teams are advised to immediately update TrueConf installations to the latest release, restrict the admin interface to trusted IP ranges, and monitor for the IOCs published in the associated advisory: SHA‑256 hashes of PhantomShell (a3f8…c7d2, b9e1…f456), C2 domains phantom‑core[.]io and core‑phnx[.]net, and the source IP 185.220.101.47 used in the initial scanning phase. Implementing strong multi‑factor authentication on all management consoles and enabling audit‑logging will further hamper similar intrusion attempts.