On October 8, 2025, a sophisticated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine’s war relief efforts. Cybersecurity firm SentinelOne identified this operation, which aimed to deploy a remote access trojan (RAT) utilizing WebSocket for command-and-control (C2) communications.
Targeted Organizations:
The campaign focused on individual members of several humanitarian and governmental bodies, including:
– International Red Cross
– Norwegian Refugee Council
– United Nations Children’s Fund (UNICEF) Ukraine office
– Council of Europe’s Register of Damage for Ukraine
– Ukrainian regional government administrations in Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions
Attack Methodology:
The attackers employed a multi-stage approach:
1. Phishing Emails: Disguised as communications from the Ukrainian President’s Office, these emails contained a malicious PDF attachment.
2. Malicious PDF: The PDF included an embedded link that redirected recipients to a counterfeit Zoom website (zoomconference[.]app).
3. Fake Cloudflare CAPTCHA: Victims encountered a deceptive Cloudflare CAPTCHA page, designed to appear as a browser security check.
4. PowerShell Execution: The CAPTCHA page prompted users to execute a PowerShell command via the Windows Run dialog, initiating the malware download process.
Technical Details:
– WebSocket RAT: The final payload was a WebSocket-based RAT, enabling remote command execution, data exfiltration, and potential deployment of additional malware.
– Command-and-Control: The RAT connected to a WebSocket server at wss://bsnowcommunications[.]com:80, receiving Base64-encoded JSON commands for execution.
– Infrastructure: The domain goodhillsenterprise[.]com was registered on March 27, 2025, serving obfuscated PowerShell scripts. The zoomconference[.]app domain was active only on October 8, indicating meticulous planning and operational security.
Additional Findings:
SentinelOne also discovered fake applications hosted on princess-mens[.]click, designed to collect geolocation data, contacts, call logs, media files, device information, and lists of installed apps from compromised Android devices.
Conclusion:
The PhantomCaptcha campaign exemplifies a highly capable adversary demonstrating extensive operational planning and a strong commitment to operational security. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.
