PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

PhantomCore Targets Russian Video Conferencing Infrastructure

A pro-Ukrainian hacktivist group known as PhantomCore has been actively targeting servers running TrueConf, a widely used Russian-developed video conferencing platform, since at least September 2025. The campaign was documented and attributed by Positive Technologies, which published a detailed threat intelligence report outlining the group's tooling, tactics, and victims.

The attacks exploit vulnerabilities in TrueConf's client and server software — including CVE-2026-3502, classified as a download of code without integrity check — to deliver custom malware to Russian organizations across multiple sectors.

Attack Campaign Overview

How PhantomCore Exploits TrueConf

CVE-2026-3502: Software Update Without Integrity Verification

The primary exploitation vector involves CVE-2026-3502, a vulnerability in the TrueConf client's software update mechanism. The flaw allows a man-in-the-middle attacker — or an attacker who can compromise the update distribution path — to serve a malicious update package to TrueConf clients without triggering any integrity verification failure.

When a TrueConf client checks for updates, the application downloads and executes the update payload without cryptographically verifying its authenticity. PhantomCore leverages this to substitute legitimate updates with malware-laced packages.

Delivery Chain

1. PhantomCore positions itself in the update delivery path
   (via compromised infrastructure, DNS manipulation, or server-side access)

2. Malicious TrueConf update package served to client

3. Client downloads and executes the package without integrity checks

4. Custom PhantomCore malware payload installs on target system

5. Malware establishes persistence and exfiltrates data from Russian org

PhantomCore Threat Actor Profile

PhantomCore is a hacktivist collective that has aligned itself with Ukrainian interests since the beginning of the Russia-Ukraine conflict. Unlike financially motivated threat actors, PhantomCore's operations are primarily focused on:

• Intelligence collection — exfiltrating sensitive data from Russian government and enterprise targets
• Disruption — interfering with communications infrastructure
• Psychological operations — demonstrating Russia's vulnerability to cyber intrusion

Positive Technologies analysts note that PhantomCore demonstrates above-average technical capability for a hacktivist group, suggesting possible overlap with or support from state-affiliated elements, though no formal state attribution has been confirmed.

Why TrueConf?

TrueConf is one of Russia's most widely deployed domestic video conferencing solutions, actively promoted as a sovereign alternative to Western platforms like Zoom and Microsoft Teams following sanctions and the departure of Western tech vendors from the Russian market post-2022. This makes TrueConf infrastructure a high-value target:

• Deployed across government ministries, military-adjacent enterprises, and critical infrastructure
• High network privilege — video conferencing servers often operate with elevated trust within corporate networks
• A single compromised server can expose meetings, credentials, and internal communications

Malware Capabilities

While Positive Technologies' report did not disclose all technical specifics of PhantomCore's implants, the documented capabilities include:

• Persistent backdoor installation — surviving reboots via Windows service registration or scheduled task persistence
• Credential harvesting — extracting stored credentials from the TrueConf server and adjacent systems
• Lateral movement — using harvested credentials to pivot to other network resources
• Data exfiltration — copying internal meeting recordings, contact directories, and configuration data

Recommendations for TrueConf Deployments

Organizations running TrueConf — particularly those outside Russia that may be using TrueConf for cross-border communications with Russian entities — should consider the following:

1. Update to the latest TrueConf server and client versions — ensure all patches addressing CVE-2026-3502 and related vulnerabilities are applied
2. Audit software update channels — verify that TrueConf update traffic is routed through authenticated, integrity-verified channels
3. Monitor for anomalous TrueConf server behavior — unexpected outbound connections or new scheduled tasks may indicate compromise
4. Isolate TrueConf servers from sensitive internal networks — limit the blast radius if a TrueConf server is compromised
5. Review TrueConf access logs — look for unusual client connections or update request patterns since September 2025

Broader Geopolitical Context

This campaign is part of a wider pattern of cyber operations conducted by both state-sponsored and hacktivist groups as an extension of the Russia-Ukraine conflict. Pro-Ukrainian groups like PhantomCore increasingly target Russian domestic technology infrastructure — software that replaced Western tools following sanctions — recognizing that these newer, less-mature platforms often carry unpatched vulnerabilities and lack the security investment of established Western vendors.

Key Takeaways

• PhantomCore, a pro-Ukrainian hacktivist group, has been targeting TrueConf video conferencing servers in Russia since September 2025
• The campaign exploits CVE-2026-3502 — a software update integrity check bypass — to deliver custom malware to Russian organizations
• Positive Technologies documented and attributed the campaign; the group demonstrates above-average technical sophistication for a hacktivist collective
• TrueConf's status as a sovereign platform promoted to replace Western video conferencing tools makes it a high-value espionage and disruption target
• Organizations using TrueConf should update immediately and audit their update delivery infrastructure

Sources

• PhantomCore Exploits TrueConf Vulnerabilities — The Hacker News
• Positive Technologies Threat Intelligence Report
• CVE-2026-3502 — NIST NVD