PhantomCaptcha Campaign Targets Ukraine Aid Groups

First reported

22.10.2025 19:55

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign delivered a remote access trojan (RAT) using a WebSocket for command-and-control (C2). The attack took place on October 8, 2025, and impersonated the Ukrainian President's Office, using weaponized PDFs and fake Zoom meetings to trick victims into executing malicious PowerShell commands. The malware performed reconnaissance and enabled remote command execution and data exfiltration. The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations. The malware was hosted on Russian-owned infrastructure and connected to a remote WebSocket server for C2 operations.

Timeline

22.10.2025 19:55 1 articles · 23h ago

PhantomCaptcha Campaign Targets Ukraine Aid Groups on October 8, 2025
On October 8, 2025, a coordinated spear-phishing campaign, dubbed PhantomCaptcha, targeted organizations involved in Ukraine's war relief efforts. The campaign used spear-phishing emails impersonating the Ukrainian President's Office, containing a booby-trapped PDF with an embedded link to a fake Zoom site. The fake Zoom site redirected victims to a malicious PowerShell command via a fake Cloudflare CAPTCHA page, leading to the execution of an obfuscated downloader that retrieved a second-stage payload. The final payload was a WebSocket RAT hosted on Russian-owned infrastructure, enabling arbitrary remote command execution and data exfiltration.
Show sources

Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
Open in new tab

Information Snippets

The PhantomCaptcha campaign targeted aid organizations in Ukraine on October 8, 2025.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The attack used spear-phishing emails impersonating the Ukrainian President's Office.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The phishing emails contained a booby-trapped PDF with an embedded link to a fake Zoom site.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The fake Zoom site redirected victims to a malicious PowerShell command via a fake Cloudflare CAPTCHA page.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The PowerShell command executed an obfuscated downloader that retrieved a second-stage payload.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The second-stage malware performed reconnaissance and sent data to a remote server.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The final payload was a WebSocket RAT hosted on Russian-owned infrastructure.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The WebSocket RAT enabled arbitrary remote command execution and data exfiltration.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The malware connected to a remote WebSocket server at wss://bsnowcommunications[.]com:80.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The campaign targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The weaponized PDF was uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The campaign's infrastructure was active only for a single day on October 8, 2025.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
The campaign has not been attributed to any known threat actor or group, but overlaps with tactics used by the Russia-linked COLDRIVER hacking group.
First reported: 22.10.2025 19:55

1 source, 1 article
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55

Summary

Timeline

PhantomCaptcha Campaign Targets Ukraine Aid Groups on October 8, 2025

Information Snippets