The PhantomCaptcha cyberattack, detailed in a new report by SentinelOne, represents a highly calculated and sophisticated operation targeting organizations central to Ukrainian war relief and regional governance. On a single day, October 8, 2025, a spear-phishing campaign was launched against specific, high-value targets, including the International Red Cross, the Norwegian Refugee Council, UNICEF’s Ukraine office, and the Council of Europe’s Register of Damage for Ukraine. Additionally, multiple Ukrainian regional government administrations—in Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk—were targeted, indicating a clear focus on disrupting or compromising operations related to the conflict and humanitarian aid. The attackers employed extensive operational planning and compartmentalized infrastructure, suggesting a persistent and well-resourced threat actor.
The initial infection vector was a series of phishing emails crafted to impersonate the Ukrainian President’s Office. These emails carried a booby-trapped PDF document containing an embedded link. Clicking this link initiated a multi-step deceptive process, beginning with a redirect to a fake Zoom site, “zoomconference[.]app.” From there, victims were taken to a malicious landing page disguised as a ClickFix-style Cloudflare CAPTCHA for a supposed browser check. This intricate social engineering trap was designed to trick victims into running a malicious PowerShell command through the Windows Run dialog, setting the stage for the delivery of the main malware payload and demonstrating a high degree of technical and social engineering skill.
The fake Cloudflare page played a critical intermediary role by attempting to establish a WebSocket connection with an attacker-controlled server. This mechanism would transmit a unique JavaScript-generated identifier. If the server responded with a matching identifier, the victim would be taken to a legitimate, password-protected Zoom meeting. This specific infection path is suspected to have been reserved for live social engineering calls where an operator would interact directly with the victim, although this live line of attack was not observed by SentinelOne during their investigation. The complexity of this setup highlights the attackers’ efforts to create a plausible, interactive, and highly evasive infection path, while also utilizing the WebSocket protocol for stealthy communication.
The PowerShell command that victims were tricked into executing was an obfuscated downloader. Its primary function was to retrieve and run a second-stage payload from a remote server. This secondary malware first performed reconnaissance on the compromised host, collecting system information and sending it back to the remote server. The server would then respond by delivering the final payload: a potent, WebSocket-based Remote Access Trojan (RAT). This RAT, hosted on Russian-owned infrastructure, functions as a remote command execution backdoor, giving the operator arbitrary access, which includes the capability for command execution, data exfiltration, and the deployment of additional malware. The use of a WebSocket-based C2 infrastructure at “wss://bsnowcommunications[.]com:80” ensures a persistent and difficult-to-detect channel for receiving Base64-encoded commands and sending back execution results.
The attackers showed a strong commitment to operational security and extensive long-term planning. Preparations for the single-day attack began on March 27, 2025, six months prior, with the registration of the domain “goodhillsenterprise[.]com,” used to serve the malware scripts. The user-facing domain, “zoomconference[.]app,” was active for only a single day, October 8, and was then swiftly taken down while the backend command-and-control infrastructure remained operational. Furthermore, the researchers uncovered evidence of additional infrastructure used to host fake applications for compromising Android devices, aimed at collecting sensitive data like geolocation, contacts, and media files. While the campaign has not been conclusively attributed to a known group, the use of the ClickFix technique overlaps with attacks by the Russia-linked COLDRIVER hacking group, underscoring the attack’s sophistication and the necessity for heightened vigilance by organizations involved in Ukrainian relief efforts.
Reference:
