Pro-Ukrainian hackers chain three TrueConf bugs to deploy web shells and create rogue admin accounts in Russian networks (CVE chain patched August 2025)

Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.

Check

Check every TrueConf Server install in your environment is patched to August 27, 2025 or later, and audit user accounts for any named 'TrueConf2' or similar.

Affected

TrueConf Server installations unpatched since August 27, 2025 - any organization that delayed the August update is exposed. Critical infrastructure, defense, and government organizations using TrueConf for offline-capable conferencing are particularly exposed because TrueConf is heavily used in those sectors.

Fix

Update TrueConf Server to the August 27, 2025 release or later. Audit local TrueConf admin accounts for unfamiliar usernames - the rogue 'TrueConf2' account is a defining indicator. Hunt server logs for PHP web shell activity and TrueConf-server outbound connections to unfamiliar domains. PhantomCore typically pivots into the broader network within days.