PhantomCore TrueConf server targeting campaign in Russia
Campaign
Summary
Hide ▲
Show ▼
PhantomCore is running an active campaign against TrueConf servers in Russia, and successful intrusions can give attackers a foothold for deeper network access. The group is exploiting a three-vulnerability chain that can bypass authentication, read arbitrary files, and execute remote commands. Even after TrueConf patches on August 27, 2025, the resulting compromises have enabled lateral movement, web shells, and credential harvesting.
Related Happenings
HeartlessSoul phishing and malvertising espionage campaign targeting aerospace firms and drone operators
Campaign
First: 11.05.2026 15:00
Last: 11.05.2026 15:00
Sources 1
About this happening:
The **HeartlessSoul** operation is using **phishing** and **malvertising** to target **aerospace firms and drone operators**, raising the risk of **geospatial data theft** from co...
HeartlessSoul phishing and malvertising espionage campaign targeting aerospace firms and drone operators
CampaignAbout this happening: The **HeartlessSoul** operation is using **phishing** and **malvertising** to target **aerospace firms and drone operators**, raising the risk of **geospatial data theft** from co...
TrueConf Server exploit chain (multiple vulnerabilities)
Vulnerability
First: 27.04.2026 14:54
Last: 27.04.2026 14:54
Sources 1
How related:
The TrueConf Server vulnerabilities exploited in the attacks are listed below -
BDU:2025-10114 (CVSS score: 7.5) - An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication.
BDU:2025-10115 (CVSS score: 7.5) - A vulnerability that could allow an attacker to read arbitrary files on the system.
BDU-2025-10116 (CVSS score: 9.8) - A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.
About this happening:
**TrueConf Server** is exposed by a three-flaw exploit chain that enabled **unauthenticated admin access**, **arbitrary file read**, and **remote command execution** on susceptibl...
TrueConf Server exploit chain (multiple vulnerabilities)
VulnerabilityHow related: The TrueConf Server vulnerabilities exploited in the attacks are listed below - BDU:2025-10114 (CVSS score: 7.5) - An insufficient access control vulnerability that could allow an attacker to make requests to certain administrative endpoints (/admin/*) without authentication. BDU:2025-10115 (CVSS score: 7.5) - A vulnerability that could allow an attacker to read arbitrary files on the system. BDU-2025-10116 (CVSS score: 9.8) - A command injection vulnerability that could allow an attacker to execute arbitrary operating system commands.
About this happening: **TrueConf Server** is exposed by a three-flaw exploit chain that enabled **unauthenticated admin access**, **arbitrary file read**, and **remote command execution** on susceptibl...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
Campaign
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueChaos TrueConf CVE-2026-3502 campaign targeting Southeast Asian government entities
CampaignAbout this happening: The **TrueChaos** campaign has been exploiting **CVE-2026-3502** in **TrueConf** zero-day attacks against **government entities in Southeast Asia**, turning compromised servers in...
TrueConf update integrity flaw actively exploited (CVE-2026-3502)
Vulnerability
First: 02.04.2026 00:35
Last: 02.04.2026 00:35
Sources 1
About this happening:
**CVE-2026-3502** is an **actively exploited TrueConf** update-integrity flaw that lets attackers replace legitimate updates with malicious executables and trigger **arbitrary fil...
TrueConf update integrity flaw actively exploited (CVE-2026-3502)
VulnerabilityAbout this happening: **CVE-2026-3502** is an **actively exploited TrueConf** update-integrity flaw that lets attackers replace legitimate updates with malicious executables and trigger **arbitrary fil...
Russian-speaking hacker AI-assisted FortiGate breach campaign
Campaign
First: 21.02.2026 15:50
Last: 21.02.2026 15:50
Sources 1
About this happening:
The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Russian-speaking hacker AI-assisted FortiGate breach campaign
CampaignAbout this happening: The **Russian-speaking** threat actor ran an **AI-assisted FortiGate breach campaign** from **January 11 to February 18, 2026**, compromising **over 600 FortiGate devices** across...
Timeline
-
27.04.2026 14:54 1 articles · 1mo ago
TrueConf releases patches for three TrueConf Server vulnerabilities
Mitigation Patch UpdateTrueConf released security patches for BDU:2025-10114, BDU:2025-10115, and BDU-2025-10116 on TrueConf Server. The issues covered insufficient access control on /admin/* endpoints without authentication, arbitrary file read, and command injection that could execute operating system commands.
Show sources
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks — thehackernews.com — 27.04.2026 14:54
-
27.04.2026 14:54 2 articles · 1mo ago
PhantomCore attributed to TrueConf server targeting in Russia
Initial DisclosurePositive Technologies attributed PhantomCore to attacks against TrueConf video conferencing servers in Russia since September 2025, saying the group leveraged a three-vulnerability exploit chain to bypass authentication, read arbitrary files, and execute remote commands. The same reporting said the first attacks against TrueConf servers were detected around mid-September 2025 and that successful compromises enabled lateral movement, reconnaissance, defense evasion, credential harvesting, web shells, proxying, and tunneling.
Show sources
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks — thehackernews.com — 27.04.2026 14:54
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks — thehackernews.com — 27.04.2026 14:54