A pro-Ukrainian hacktivist collective known as PhantomCore has been actively targeting servers running the TrueConf video conferencing platform in Russia since September 2025, according to a new security report.
The findings were published by Positive Technologies, a Russian cybersecurity firm. The report attributes a series of attacks to PhantomCore, stating the group has been using a chain of three distinct vulnerabilities to compromise susceptible systems.
These flaws, when linked together in an exploit chain, allow threat actors to execute arbitrary commands remotely on a targeted server. The attacks specifically focus on TrueConf installations, a widely used video conferencing solution within Russian government and corporate networks.
The Vulnerability Chain
Positive Technologies identified the specific weaknesses exploited by PhantomCore as CVE-2025-42732, CVE-2025-42733, and CVE-2025-42734. The first two vulnerabilities permit remote code execution, while the third allows attackers to bypass authentication mechanisms.
Combined, these flaws give an attacker the ability to take full control of a TrueConf server without requiring valid user credentials. Once a server is compromised, attackers can move laterally within the network to steal data or deploy additional payloads.
The security firm noted that the exploits are publicly known and proof-of-concept code has been circulating in underground forums. This availability likely accelerated PhantomCore’s ability to weaponize the vulnerabilities for their campaign.
Context of the Campaign
TrueConf is a domestic Russian video conferencing platform used by many state-owned enterprises and government agencies. Its popularity in Russia makes it a high-value target for politically motivated hacking groups.
PhantomCore is known for carrying out cyber operations in support of Ukraine. Their activities have included defacement, data leaks, and disruptive attacks against Russian infrastructure. The group’s motives appear to be tied to the ongoing conflict between Russia and Ukraine.
The timing of the attacks, beginning in September 2025, aligns with a broader pattern of increased cyber activity by pro-Ukrainian groups targeting Russian digital assets. These campaigns often aim to disrupt communication and erode trust in domestic technology platforms.
Recommendations and Mitigations
Positive Technologies urged administrators of TrueConf servers to apply the latest security patches immediately. The company released updates addressing these vulnerabilities prior to the public disclosure.
For organizations that cannot patch immediately, workarounds include restricting network access to the TrueConf server, enabling multi-factor authentication, and closely monitoring for unusual activity on port 443 where the service typically runs.
The report emphasized that unpatched servers remain at high risk of compromise, especially given that exploit code is already available to threat actors.
Broader Implications
This campaign highlights the ongoing targeting of video conferencing software by state-aligned and hacktivist groups. The shift to remote work and communication during and after the pandemic made such platforms an attractive attack surface.
The incident also underscores the dual-use nature of vulnerability research. While security firms like Positive Technologies work to identify and patch flaws, the same information can be leveraged by adversaries for offensive operations before organizations update their systems.
Positive Technologies has not attributed the attacks to a specific state sponsor, but described PhantomCore as having high technical capabilities and a focused operational tempo. The group continues to be a persistent threat to Russian online infrastructure.
Looking ahead, it is likely that PhantomCore will continue to exploit known vulnerabilities in widely used Russian software. Organizations within Russia that rely on domestic platforms should expect further attempts and prioritize cybersecurity hygiene to reduce exposure.
Source: Positive Technologies
