A pro-Ukrainian hacktivist group known as PhantomCore is actively conducting cyber operations against Russian networks, specifically targeting servers running TrueConf video conferencing software. According to a detailed report by Positive Technologies, these attacks have been ongoing since September 2025 and rely on a critical exploit chain comprising three security vulnerabilities to achieve Remote Code Execution (RCE).
For defenders, this is not a theoretical risk. The TrueConf platform is widely used for enterprise communication and often sits on the network perimeter or within trusted internal zones. A successful compromise of this server grants attackers the same privileges as the service account—often System or Administrator—enabling lateral movement, data exfiltration, or ransomware deployment. This post provides the technical details needed to hunt for PhantomCore activity and harden your environment against this specific exploit chain.
Technical Analysis
Affected Products:
- TrueConf Server (Windows-based versions are the primary target for this exploit chain).
The Threat: PhantomCore leverages a chain of three vulnerabilities (an exploit chain) to bypass authentication and execute arbitrary commands remotely. While specific CVE identifiers were not fully disclosed in the initial reporting, the nature of the attack involves sending malicious requests to the TrueConf web interface or API services.
Attack Chain Breakdown:
- Initial Access: The threat actor scans for TrueConf instances exposed to the internet or internal networks.
- Exploitation: A specific sequence of requests is sent to the TrueConf application, likely leveraging deserialization or input validation flaws to bypass authentication.
- Remote Code Execution (RCE): The final vulnerability in the chain allows the attacker to execute operating-system-level commands.
- Post-Exploitation: PhantomCore has been observed establishing persistence and moving laterally from the compromised conferencing server.
Exploitation Status:
- Confirmed Active Exploitation: Yes (Positive Technologies report, Sept 2025–Present).
- Availability of Patch: Vendors typically release patches for such chains immediately. Verify you are running the latest version of TrueConf Server.
Detection & Response
Given the active exploitation of TrueConf servers, security teams must assume that unpatched instances are already compromised. The following detection logic focuses on identifying the behavioral anomalies associated with the RCE aspect of the exploit chain: a web-facing application spawning unauthorized system shells.
Sigma Rules
---
title: PhantomCore TrueConf RCE - Spawning Shell
id: 8a4b2c1d-9f3e-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects potential TrueConf RCE exploitation by identifying the TrueConf server process spawning cmd.exe or powershell.exe.
references:
- https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html
author: Security Arsenal
date: 2026/04/07
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: 'TrueConf'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative debugging by vendor (rare)
level: critical
---
title: PhantomCore TrueConf - Suspicious Network Outbound
id: 9b5c3d2e-0a4f-5b6c-9d7e-2f3a4b5c6d7e
status: experimental
description: Detects suspicious outbound network connections initiated by the TrueConf process, typical of C2 beacons or data exfiltration post-exploitation.
references:
- https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html
author: Security Arsenal
date: 2026/04/07
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|contains: 'TrueConf'
Initiated: 'true'
filter:
DestinationPort:
- 80
- 443
- 8080
condition: selection and not filter
falsepositives:
- Legitimate video conference traffic to non-standard ports (review)
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for the parent-child relationship indicative of the exploit chain. It looks for TrueConf.exe spawning a command shell, which is not standard operation for a video conferencing service.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName contains "TrueConf"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| extend AccountCustom = strcat(AccountDomain, "\\", AccountName)
| project Timestamp, DeviceName, AccountCustom, InitiatingProcessCommandLine, CommandLine, FileName, FolderPath
| order by Timestamp desc
Velociraptor VQL
This artifact hunts for processes spawned by TrueConf that are not signed by TrueConf or are known LOLBins (Living Off The Land Binaries).
-- Hunt for TrueConf spawning suspicious child processes
SELECT Parent.ProcessName AS ParentName,
Parent.Pid AS ParentPid,
Process.Name AS ChildName,
Process.Pid AS ChildPid,
Process.CommandLine,
Process.Username
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Process.Ppid
WHERE ParentName =~ "TrueConf"
AND NOT ChildName =~ "TrueConf"
AND ChildName =~ "(cmd|powershell|pwsh|wscript|cscript|regsvr32|rundll32)\.exe"
Remediation Script (PowerShell)
This script checks for the presence of TrueConf services, identifies if they are running, and hunts for recent suspicious child processes. It does not stop the service automatically to avoid downtime but provides an assessment.
# TrueConf Security Assessment Script
Write-Host "[+] Checking TrueConf Services..." -ForegroundColor Cyan
$service = Get-Service -Name "TrueConf*" -ErrorAction SilentlyContinue
if ($service) {
foreach ($svc in $service) {
Write-Host "Found Service: $($svc.DisplayName) - Status: $($svc.Status)" -ForegroundColor Yellow
# Get the process ID associated with the service
$processId = (Get-WmiObject -Class Win32_Service -Filter "Name='$($svc.Name)'").ProcessId
if ($processId) {
Write-Host "[+] Checking for suspicious child processes spawned by PID $processId..." -ForegroundColor Cyan
# Look for child processes that are shells or scripting hosts
$suspiciousChildren = Get-CimInstance Win32_Process |
Where-Object { $_.ParentProcessId -eq $processId -and
$_.Name -match '(cmd.exe|powershell.exe|pwsh.exe|wscript.exe)' }
if ($suspiciousChildren) {
Write-Host "[!] ALERT: Suspicious child process detected!" -ForegroundColor Red
$suspiciousChildren | Format-List Name, ProcessId, CommandLine, CreationDate
} else {
Write-Host "[-] No suspicious child processes found." -ForegroundColor Green
}
}
}
} else {
Write-Host "[-] TrueConf services not found on this endpoint." -ForegroundColor Gray
}
Write-Host "[+] Recommendation: Update TrueConf Server to the latest version immediately." -ForegroundColor Cyan
Write-Host "[+] Recommendation: Restrict internet access to TrueConf web interfaces." -ForegroundColor Cyan
Remediation
-
Patch Immediately: Verify the version of TrueConf Server running in your environment. Apply the latest security patches released by TrueConf to address the 3-vulnerability exploit chain. If the server is internet-facing, patching is an emergency.
-
Network Segmentation: TrueConf servers generally do not need unrestricted internet access. Restrict outbound traffic from these servers to only necessary endpoints (e.g., license validation servers or specific SIP domains) via firewall rules. Block all other outbound traffic.
-
Access Controls: Ensure the web management interface is not exposed to the public internet. Place it behind a VPN or Zero Trust Access solution with MFA.
-
Incident Response Check: If your TrueConf logs show suspicious spikes in traffic around September 2025 or later, or if the detection queries above return results, assume the server is compromised. Initiate forensic collection (memory and disk) and reset credentials for any accounts used on the server.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.