A highly orchestrated spear-phishing campaign dubbed “PhantomCaptcha” has hit organizations involved in relief support for Ukraine’s conflict zones. The attack, which lasted just one day on October 8, 2025, targeted non-profit agencies, regional government offices and international humanitarian groups, deploying a multi-stage infection chain that culminated in a WebSocket-based remote access trojan (RAT).
Spear-Phishing Lure Masquerades as Ukrainian Government Communication
The campaign kicked off with emails impersonating the office of the Ukrainian President and addressed to staff at entities such as the International Committee of the Red Cross, Norwegian Refugee Council, and UNICEF. Recipients were sent weaponised PDF attachments that embedded links to a domain falsely branded as a teleconference platform (“zoomconference[.]app”). Upon interaction, victims encountered a realistic “I’m not a robot” re-CAPTCHA simulation that directed them to copy a code token and paste it into a Windows Run dialog, executing a hidden PowerShell loader.
“This social-engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files.”
— SentinelOne researchers
Attack Chain Delivers Three-Stage Payload Featuring WebSocket RAT
Once activated, the loader executed a heavily obfuscated PowerShell script (Stage 1) designed to fetch a second-stage binary (Stage 2) which profiled the host, disabled PowerShell history logging and exfiltrated system identifiers to the actor’s C2 server. Ultimately, a Stage 3 payload – a WebSocket-based RAT – installed an in-memory shell connected to attacker infrastructure. The RAT, using base64-encoded JSON packets, allowed arbitrary remote commands and data transfer, effectively giving the adversary SYSTEM-level interactive control.
Humanitarian and Government Targets Amplify Strategic Threat Landscape
The focus on war-relief organisations and Ukrainian regional administrations suggests the adversary sought access to sensitive intelligence—logistics, personnel, supply-chain data and negotiation records. The fact that the attack infrastructure was activated for only 24 hours but kept backend systems online reflects high operational security and careful compartmentalisation by the actor.
Indicators of Compromise and Defensive Actions for At-Risk Organisations
Key indicators include domains such as “zoomconference[.]app”, “goodhillsenterprise[.]com”, and IPs hosted on Russian-linked VPS providers. Targets should immediately hunt for PowerShell processes launched via Run dialog, new COM object registrations, WinHTTP connections performing WebSocket handshakes and outbound portals to unfamiliar endpoints. Defence teams are advised to disable macros by default, enforce deep inspection of WebSocket traffic, alert on clipboard activity initiating commands, and segment remote-management tools.
Why PhantomCaptcha Signals a Shift in Targeting and Tradecraft
Rather than traditional infrastructure adversaries, this campaign shows threat actors are now engaging human-centric social engineering to breach high value but less hardened targets—NGOs and regional agencies. The combination of trusted service impersonation, one-day publication window and advanced persistence illustrates a new tier of espionage equipped to capture strategic information without large-scale disruption.
