The attackers substituted client distributions and infected organizations through a common video call scenario.
A simple video call invitation at Russian organizations has turned into a trap. Researchers have discovered a new wave of attacks in which attackers exploit TrueConf's infrastructure and inject malicious versions of the client application into victims. Transportation companies, scientific organizations, and educational institutions have been targeted, and the consequences of this scheme could extend far beyond a single network.
The first campaign linked to the Head Mare group began at least in December 2025 and was discovered in February 2026. Employees of organizations received a link inviting them to a video conference, clicked on it, and were prompted to install a service to join the call. Along with the installation, a previously unknown backdoor, dubbed PhantomPxPigeon, was installed on their computers.
Researchers are now recording a new surge in similar activity. On a number of compromised TrueConf servers belonging to organizations in the transportation, scientific, and educational sectors, attackers have replaced client application distributions. This scheme poses a threat not only to the owner of the infected server. Any external organization whose employee downloads such a client to join a call also risks infection.
How exactly the attackers are spoofing files is still unknown. One working theory is related to vulnerability BDU:2025-10116, which researchers discovered and the developer patched back in August 2025. Amid these new incidents, organizations using TrueConf are advised to check their server software version and install the latest updates as soon as possible, as recommended by the vendor.
Special attention should be paid to the client distributions distributed by the server to users. Legitimate TrueConf installers must have a valid digital signature from the developer. The malicious samples found during the investigation did not have such a signature. A missing signature or an untrusted signature may indicate that the installation package has been tampered with, modified, or prepared for vulnerability exploitation. You can also verify the authenticity of the distribution on the manufacturer's website.
To detect traces of an attack in the infrastructure, experts recommend paying attention to several characteristic signs. These include the substitution of client files in the directory C:\Program Files\TrueConf Server\ClientInstFiles\, network requests from the process C:\Program Files\TrueConf\Client\TrueConf.exeto suspicious domains and IP addresses from atypical regions, loading suspicious libraries, and creating new processes and files on behalf of the client application. If attackers are exploiting server vulnerabilities, process activity should also be monitored tc_webmgr.exe, particularly the launch of suspicious processes and the creation of new files.
Kaspersky Lab notes that the company's security products can detect signs of such activity. Kaspersky Endpoint Detection and Response Expert, in particular, detects the use of an unsigned TrueConf installer using the rule unsigned_trueconf_installer. Similar malicious activity is also tracked by the Kaspersky Managed Detection and Response service.
The TrueConf incident demonstrates an old but still effective attacker tactic: hacking a trusted entry point and turning a regular work tool into an infection channel. When a malicious file comes not from a dubious website, but from a corporate videoconferencing server, the risk to any organization increases dramatically.
A simple video call invitation at Russian organizations has turned into a trap. Researchers have discovered a new wave of attacks in which attackers exploit TrueConf's infrastructure and inject malicious versions of the client application into victims. Transportation companies, scientific organizations, and educational institutions have been targeted, and the consequences of this scheme could extend far beyond a single network.
The first campaign linked to the Head Mare group began at least in December 2025 and was discovered in February 2026. Employees of organizations received a link inviting them to a video conference, clicked on it, and were prompted to install a service to join the call. Along with the installation, a previously unknown backdoor, dubbed PhantomPxPigeon, was installed on their computers.
Researchers are now recording a new surge in similar activity. On a number of compromised TrueConf servers belonging to organizations in the transportation, scientific, and educational sectors, attackers have replaced client application distributions. This scheme poses a threat not only to the owner of the infected server. Any external organization whose employee downloads such a client to join a call also risks infection.
How exactly the attackers are spoofing files is still unknown. One working theory is related to vulnerability BDU:2025-10116, which researchers discovered and the developer patched back in August 2025. Amid these new incidents, organizations using TrueConf are advised to check their server software version and install the latest updates as soon as possible, as recommended by the vendor.
Special attention should be paid to the client distributions distributed by the server to users. Legitimate TrueConf installers must have a valid digital signature from the developer. The malicious samples found during the investigation did not have such a signature. A missing signature or an untrusted signature may indicate that the installation package has been tampered with, modified, or prepared for vulnerability exploitation. You can also verify the authenticity of the distribution on the manufacturer's website.
To detect traces of an attack in the infrastructure, experts recommend paying attention to several characteristic signs. These include the substitution of client files in the directory C:\Program Files\TrueConf Server\ClientInstFiles\, network requests from the process C:\Program Files\TrueConf\Client\TrueConf.exeto suspicious domains and IP addresses from atypical regions, loading suspicious libraries, and creating new processes and files on behalf of the client application. If attackers are exploiting server vulnerabilities, process activity should also be monitored tc_webmgr.exe, particularly the launch of suspicious processes and the creation of new files.
Kaspersky Lab notes that the company's security products can detect signs of such activity. Kaspersky Endpoint Detection and Response Expert, in particular, detects the use of an unsigned TrueConf installer using the rule unsigned_trueconf_installer. Similar malicious activity is also tracked by the Kaspersky Managed Detection and Response service.
The TrueConf incident demonstrates an old but still effective attacker tactic: hacking a trusted entry point and turning a regular work tool into an infection channel. When a malicious file comes not from a dubious website, but from a corporate videoconferencing server, the risk to any organization increases dramatically.
