Cybersecurity researchers have disclosed particulars of a coordinated spear-phishing marketing campaign dubbed PhantomCaptcha focusing on organizations related to Ukraine’s struggle aid efforts to ship a distant entry trojan that makes use of a WebSocket for command-and-control (C2).
The exercise, which occurred on October 8, 2025, focused particular person members of the Worldwide Pink Cross, Norwegian Refugee Council, United Nations Kids’s Fund (UNICEF) Ukraine workplace, Norwegian Refugee Council, Council of Europe’s Register of Harm for Ukraine, and Ukrainian regional authorities administrations within the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk areas, SentinelOne mentioned in a brand new report revealed right this moment.
The phishing emails have been discovered to impersonate the Ukrainian President’s Workplace, carrying a booby-trapped PDF doc that comprises an embedded hyperlink, which, when clicked, redirects victims to a faux Zoom web site (“zoomconference[.]app”) and methods them into working a malicious PowerShell command by way of a ClickFix-style faux Cloudflare CAPTCHA web page below the guise of a browser test.
The bogus Cloudflare web page acts as an middleman by organising a WebSocket reference to an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the sufferer to a respectable, password-protected Zoom assembly if the WebSocket server responds with an identical identifier.
It is suspected that this an infection path is probably going reserved for dwell social engineering calls with victims, though SentinelOne mentioned it didn’t observe the menace actors activating this line of assault throughout its investigation.
The PowerShell command executed after it is pasted to the Home windows Run dialog results in an obfuscated downloader that is primarily chargeable for retrieving and executing a second-stage payload from a distant server. This second-stage malware performs reconnaissance of the compromised host and sends it to the identical server, which then responds with the PowerShell distant entry trojan.
“The ultimate payload is a WebSocket RAT hosted on Russian-owned infrastructure that allows arbitrary distant command execution, information exfiltration, and potential deployment of extra malware,” safety researcher Tom Hegel mentioned. “The WebSocket-based RAT is a distant command execution backdoor, successfully a distant shell that offers an operator arbitrary entry to the host.”
The malware connects to a distant WebSocket server at “wss://bsnowcommunications[.]com:80” and is configured to obtain Base64-encoded JSON messages that embrace a command to be executed with Invoke-Expression or run a PowerShell payload. The outcomes of the execution are subsequently packaged right into a JSON string and despatched to the server over the WebSocket.
Additional evaluation of VirusTotal submissions has decided that the 8-page weaponized PDF has been uploaded from a number of places, together with Ukraine, India, Italy, and Slovakia, doubtless indicating broad focusing on.
SentinelOne famous that preparations for the marketing campaign started on March 27, 2025, when the attackers registered the area “goodhillsenterprise[.]com,” which has been used to serve the obfuscated PowerShell malware scripts. Curiously, the infrastructure related to “zoomconference[.]app” is claimed to have been lively just for a single day on October 8.
This implies “subtle planning and robust dedication to operational safety,” the corporate identified, including it additionally uncovered faux purposes hosted on the area “princess-mens[.]click on” which can be aimed toward accumulating geolocation, contacts, name logs, media recordsdata, machine data, put in apps record, and different information from compromised Android units.
The marketing campaign has not been attributed to any recognized menace actor or group, though using ClickFix overlaps with that of just lately disclosed assaults mounted by the Russia-linked COLDRIVER hacking group.
“The PhantomCaptcha marketing campaign displays a extremely succesful adversary, demonstrating in depth operational planning, compartmentalized infrastructure, and deliberate publicity management,” SentinelOne mentioned.
“The six-month interval between preliminary infrastructure registration and assault execution, adopted by the swift takedown of user-facing domains whereas sustaining backend command-and-control, underscores an operator well-versed in each offensive tradecraft and defensive detection evasion.”
