A New Wave of Cyberattacks by the PhantomCore Hacker Group Detected
Between May and July 2025, specialists at Positive Technologies uncovered more than 180 compromised systems within Russian organizations. The malicious activity was traced back to the hacker group PhantomCore, which appears to have focused exclusively on targeting Russia’s critical infrastructure.
Who Was Targeted
The victims spanned a wide range of sectors:
- Government agencies
- Research institutes
- Defense enterprises
- Shipbuilding, chemical, mining, and manufacturing companies
- IT service providers
The first infection was recorded on May 12, 2025, but the peak of activity came in late June. On June 30 alone, 56% of all infections were detected, suggesting a coordinated campaign.
Stealth and Persistence
Researchers found that PhantomCore typically remained undetected inside networks for an average of 24 days, with one case lasting as long as 78 days. Alarmingly, at least 49 systems are still under the group’s control as of today.
According to experts, PhantomCore has been active since early 2024 and specializes in stealing confidential information. What sets the group apart is both the scale and the precision of its operations, consistently striking Russian organizations in strategic economic sectors and government institutions.
Arsenal and Infrastructure
PhantomCore relies on a varied toolkit that blends:
- Popular open-source utilities
- Modified versions of well-known offensive tools
- Custom-built malware not previously seen in the wild
This mix enables the attackers to maintain long-term persistence while evading detection. Their infrastructure is also carefully segmented, with different servers dedicated to specific functions and tool categories.
Geographically, PhantomCore’s infrastructure is split almost evenly between domestic and foreign hosts:
- 48% of servers are located in Russia, mostly within the networks of three major providers.
- 52% are abroad, spread across Finland, France, the Netherlands, the U.S., Germany, Hong Kong, Moldova, and Poland.
- Notably, 33% of the group’s total infrastructure is concentrated within a single Canadian provider’s network.
Expert Insights
“We believe the recent surge in this cyberespionage campaign stems from the evolution of PhantomCore’s malware arsenal,” said Viktor Kazakov, Senior Specialist at PT ESC TI Cyber Intelligence Group. “It’s likely that up until the end of April, the attackers were preparing for this wave of operations, refining their toolset. We also identified a new offshoot of the group — a cluster of lower-skilled operators likely organized by one of the core members to expand activity and increase the attack surface.”
Early Warning Saves Victims
Positive Technologies emphasized that, despite the scale of the campaign, they were able to identify affected organizations and notify them before any critical incidents occurred. This early intervention may have prevented severe damage across sectors ranging from defense to critical infrastructure.
