PhantomCore Exploits TrueConf Zero-Days in Russian Network Attacks

Executive Summary

A pro-Ukrainian hacktivist group tracked as PhantomCore has been actively exploiting a chain of three vulnerabilities in TrueConf video conferencing software to gain remote code execution on servers in Russia since at least September 2025, according to a report published by Positive Technologies. The threat actors are leveraging the exploit chain to execute arbitrary commands on susceptible TrueConf installations, likely for espionage and disruptive operations against Russian organizations. Positive Technologies did not disclose whether the vulnerabilities have been assigned CVE identifiers or whether patches are available.

Technical Analysis

Positive Technologies' report, published April 27, 2026, details that PhantomCore's attack chain combines three distinct flaws in TrueConf, a Russian-developed video conferencing platform widely used by government and enterprise entities in Russia. The researchers did not provide specific technical details about the vulnerabilities, such as CVE IDs or CVSS scores, but confirmed that the exploit chain enables remote command execution on vulnerable servers. The campaign has been ongoing since September 2025, indicating sustained access and active exploitation against Russian networks.

PhantomCore is described as a pro-Ukrainian hacktivist group, aligning with a pattern of politically motivated cyber operations targeting Russian infrastructure since the onset of the Russia-Ukraine conflict. The group's operational focus on TrueConf—a Russian-made product—suggests deliberate targeting of domestic software supply chains to maximize impact within Russian networks.

Mitigations & Recommendations

Organizations running TrueConf video conferencing software should immediately isolate affected servers from the internet and restrict network access to trusted IP ranges only. Positive Technologies has not confirmed whether TrueConf has released patches; defenders should contact TrueConf support for mitigation guidance. In the absence of vendor patches, network segmentation, application whitelisting, and monitoring for anomalous process execution or outbound connections from TrueConf servers are recommended. Organizations outside Russia using TrueConf should also assess exposure, as the vulnerabilities may affect all deployments.