TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks

[email protected] (The Hacker News) · 2026-04-27 · Read original ↗

ATT&CK techniques detected

10 predictions
T1505.003Web Shell
100%
“organization ' s network. although security patches to address the issues were released by trueconf on august 27, 2025, the first attacks aimed at trueconf servers were detected around mid - september 2025, per positive technologies. in the attacks observed by the russian securit…”
T1566.002Spearphishing Link
93%
“kong, and are suspected to be accidental. - mythic likho, which uses phishing lures via email to deliver loaders like huloader, merlin ( a mythic agent ), or reflectpulse that are designed to unpack the final payload, a backdoor called loki that ' s a mythic - compatible version …”
T1059.001PowerShell
69%
“phantomcore ' s attack chains have also been found to use phishing lures for initial access to russian organizations as recently as january and february 2026, using crafted zip or rar archives to distribute a backdoor that can run remote commands on the host and serve arbitrary p…”
T1190Exploit Public-Facing Application
64%
“in some cases even deploying ransomware based on the leaked source code of babuk and lockbit. " the group runs large - scale operations while maintaining strong stealth - - remaining invisible in victim networks for extended periods - - enabled by continual updates and evolution …”
T1204.004Malicious Copy and Paste
40%
“##ecutables retrieved from a remote server, install msi files, and take screenshots. the moniker capfix is a reference to the fact that capdoor was first discovered in 2025, distributed using the clickfix social engineering tactic. a deeper analysis of the threat actor ' s campai…”
T1021.001Remote Desktop Protocol
36%
“tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell - phantomsscp ( dll ), mactunnelrat ( powershell ), phantomproxylite ( powershell ), for establishing a foothold in a breached env…”
T1059.001PowerShell
34%
“tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell - phantomsscp ( dll ), mactunnelrat ( powershell ), phantomproxylite ( powershell ), for establishing a foothold in a breached env…”
T1566.002Spearphishing Link
33%
“##ecutables retrieved from a remote server, install msi files, and take screenshots. the moniker capfix is a reference to the fact that capdoor was first discovered in 2025, distributed using the clickfix social engineering tactic. a deeper analysis of the threat actor ' s campai…”
T1204.002Malicious File
31%
“##bug [. ] app " ) to distribute a fake msi installer for star debug, an alternative tool to manage starlink devices, in order to deploy the sliver post ‑ exploitation framework. another website tied to the threat actor ( " alphafly - drones [. ] com " ) has used rogue drone simu…”
T1078Valid Accounts
30%
“tasks for subsequent execution, allowing it to run commands, launch executables, and allow traffic to be proxied through the aforementioned web shell - phantomsscp ( dll ), mactunnelrat ( powershell ), phantomproxylite ( powershell ), for establishing a foothold in a breached env…”

Summary

A pro-Ukrainian hacktivist group called PhantomCore has been attributed to attacks actively targeting servers running TrueConf video conferencing software in Russia since September 2025. That's according to a report published by Positive Technologies, which found the threat actors to be leveraging an exploit chain comprising three vulnerabilities to execute commands remotely on susceptible