5511

PhantomCore exploited an exploit chain of three TrueConf vulnerabilities (BDU-2025-10114/10115/10116) beginning in September 2025 to execute commands remotely and deploy tools (PhantomPxPigeon, PhantomSscp, MacTunnelRat, PhantomProxyLite) for reconnaissance, credential theft, and persistence; some intrusions included encryption of VMs, servers, and user workstations. The group targeted a range of public and private Russian organizations, used phishing for initial access, maintained long dwell times while expanding network presence, and was publicly reported by Positive Technologies on 20 April 2026.