A sophisticated one-day spearphishing operation has targeted humanitarian organizations and regional government bodies in Ukraine.
The campaign, tracked as PhantomCaptcha, was uncovered by SentinelLabs in collaboration with the Digital Security Lab of Ukraine.
Bad actors masquerading as the Ukrainian President’s Office sent weaponized PDF attachments to members of the International Red Cross, Norwegian Refugee Council, UNICEF, and Ukrainian regional administrations.
Opening the PDF led to a fake Cloudflare captcha page, part of a carefully staged infection chain that deliverd a WebSocket-based RAT hosted on Russian-owned infrastructure.
Despite what must have been months of preparation, the operation was active for only one day, a brief window that points to the attackers’ precision and operational discipline.
A Convincing Lure
The phishing emails carried an eight-page PDF that looked like an authentic government document. Once opened, a malicious link led victims to zoomconference[.]app, a domain mimicking Zoom but tied to a VPS in Finland operated by a Russian provider (KVMKA).
Visitors were met with what appeared to be a Cloudflare DDoS protection screen, complete with progress bars and system checks. But beneath the surface, the page executed a JavaScript function establishing a WebSocket connection to the attacker’s command server, laying the groundwork for payload delivery.
ClickFix Revisited
The malefactors used a variation of the ClickFix or “Paste and Run” technique. After a simulated captcha challenge, users were told (in Ukrainian) to copy a “token,” open the Windows Run dialog, and paste the command.
That action triggered a hidden PowerShell process that fetched the next-stage payload from the same domain. Because the code was executed by the user, most endpoint defenses would see it as legitimate activity.
It’s a tactic increasingly favored by state-linked groups: manipulating users into triggering the infection themselves.
A Three-Stage Payload
PhantomCaptcha’s payload unfolded in three scripted layers:
- Stage 1 – A 500KB obfuscated PowerShell script acting as a downloader for the next payload.
- Stage 2 – A reconnaissance script, collecting system identifiers, usernames, and domain data, sent via XOR-encrypted HTTP traffic to bsnowcommunications[.]com.
- Stage 3 – A WebSocket RAT that enabled full remote command execution, continuous reconnect logic, and live data exfiltration.
The RAT operated like a remote shell would, able to execute arbitrary commands and return results through encrypted channels.
Infrastructure and Attribution
The campaign’s infrastructure showed strong compartmentalization. The zoomconference[.]app lure domain shut down within hours of activation, while the bsnowcommunications[.]com backend remained online, likely to maintain access to compromised hosts.
Investigators linked related domains and IPs to past Russian or Belarusian activity, with moderate confidence that COLDRIVER, an FSB-linked threat cluster, may be connected.
Further analysis revealed overlaps with a mobile surveillance campaign, including fake Android apps such as princess.apk, themed around Ukrainian adult venues. These apps harvested contacts, media, call logs, location data, and more, suggesting a broader intelligence-gathering operation.
Implications
The operation demonstrates advanced tradecraft: rapid infrastructure turnover, tailored social engineering, and clean execution within a 24-hour window. The targeting of aid organizations and government offices suggests a focus on intelligence collection tied to humanitarian and reconstruction efforts in Ukraine.
User awareness remains a key defense. Legitimate services never require commands pasted into Run dialogs. PowerShell logging, execution monitoring, and WebSocket traffic inspection are critical to detect similar intrusions.
Weaponizing Trust
Michael Tigges, senior security operations analyst at Huntress, said: “This incident underscores a familiar truth in modern cyber conflict: adversaries continue to weaponise trust. By mimicking a Cloudflare CAPTCHA flow, the operators behind this campaign effectively sidestepped traditional user skepticism and exploited routine web interactions as a delivery mechanism.”
Tigges called this a reminder that social engineering has evolved beyond suspicious links; as adversaries now blend into trusted infrastructure and UI patterns to lower defences.
“This tactic is not only a technique of nation-state advanced persistent threats, but remains one of the most broadly observed malware distribution tactics in recent years. Detection remains difficult when attackers rely on living-off-the-land techniques like ClickFix commands that abuse native tooling. Security teams benefit from telemetry that can correlate behavioural anomalies, such as unusual web-to-command execution paths, rather than relying solely on static filtering or domain blocklists. EDR tools, when coupled with strong identity and session monitoring, can provide critical visibility into these asymmetric intrusions.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.