PhantomCore Unmasked: The Stealthy Hacktivist Collective Weaponizing Russian Software Flaws

When Russian organizations fired up their TrueConf video conferencing servers this past autumn, few suspected their conversations could become the frontlines of a covert cyberwar. But in September 2025, a shadowy group known as PhantomCore - also called Fairy Trickster and Rainbow Hyena - quietly slipped through the digital cracks, weaponizing three hidden vulnerabilities to infiltrate Russian networks with surgical precision.

According to a detailed report by Positive Technologies, PhantomCore’s operation was no opportunistic smash-and-grab. Instead, the group meticulously reverse-engineered and chained three flaws in TrueConf’s server software - none with public exploits at the time. The vulnerabilities ranged from weak access controls (allowing unauthorized administrative actions), to arbitrary file reads, and a critical command injection bug (CVSS 9.8) that let attackers run system commands remotely.

With these keys in hand, PhantomCore bypassed authentication and commandeered TrueConf servers, using them as beachheads to explore deeper into victim networks. Once inside, the attackers deployed a sophisticated suite of malware: PHP web shells for remote command execution, proxy servers to mask malicious traffic, and custom payloads like PhantomPxPigeon - a doctored TrueConf client capable of reverse shells and task execution. Lateral movement was enabled via tools such as Windows Remote Management and RDP, while credential harvesting leveraged scripts targeting backup solutions and memory dumps.

PhantomCore’s attacks didn’t stop at technical exploits. Social engineering played a role, with phishing campaigns delivering booby-trapped ZIP and RAR files to Russian organizations as recently as early 2026. The endgame: persistent backdoors, data theft, and, in some cases, ransomware deployment using code borrowed from notorious gangs like Babuk and LockBit.

This wave of attacks is part of a broader pattern. Alongside PhantomCore, groups like CapFIX, Geo Likho, and an array of “Werewolf” factions are launching coordinated campaigns against Russian targets - from aviation to industrial sectors. Their methods range from phishing and malicious Telegram channels to fake websites distributing trojans and AI-generated hacking tools. Despite the shared geopolitical focus, investigators have found little evidence of direct coordination - suggesting parallel, but independent, campaigns fueled by the ongoing Russo-Ukrainian conflict.

The PhantomCore saga is a stark warning: even “domestic” software is no safe haven in a hyperconnected world of cyber conflict. As hacktivist and criminal groups continue to evolve, Russian organizations - and those worldwide - face an increasingly complex threat landscape where stealth, speed, and technical ingenuity decide who wins the next digital battle.

WIKICROOK

• Exploit Chain: An exploit chain is a series of linked vulnerabilities that attackers use together to breach a system, bypassing security through multiple steps.
• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
• Reverse Shell: A reverse shell is when a hacked computer secretly connects back to an attacker, giving them remote control and bypassing standard security defenses.
• Lateral Movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.