PhantomCaptcha spear-phishing campaign targeting Ukraine war relief organizations
Campaign
Summary
Hide ▲
Show ▼
PhantomCaptcha was a single-day spear-phishing campaign on October 8, 2025 that targeted Ukraine war relief groups and Ukrainian regional government administrations. The phishing emails impersonated the Ukrainian President's Office and used weaponized PDFs plus a ClickFix-style fake Cloudflare CAPTCHA to trick victims into running malicious PowerShell. The chain delivered a WebSocket RAT from Russian-owned infrastructure that enabled remote command execution, data exfiltration, and potential additional malware deployment.
Related Happenings
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
North American cryptocurrency company hit by network compromise
Incident
First: 28.04.2026 11:00
Last: 28.04.2026 11:00
Sources 1
About this happening:
A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
North American cryptocurrency company hit by network compromise
IncidentAbout this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
CANFAIL phishing campaign impersonating Ukrainian energy organizations
Campaign
First: 13.02.2026 19:27
Last: 13.02.2026 19:27
Sources 1
About this happening:
A **previously undocumented threat actor** is running a **CANFAIL phishing campaign** that impersonates **Ukrainian energy organizations** to gain unauthorized access to email acc...
CANFAIL phishing campaign impersonating Ukrainian energy organizations
CampaignAbout this happening: A **previously undocumented threat actor** is running a **CANFAIL phishing campaign** that impersonates **Ukrainian energy organizations** to gain unauthorized access to email acc...
Timeline
-
22.10.2025 19:55 1 articles · 7mo ago
PhantomCaptcha infrastructure registration begins
Campaign Scope UpdatePhantomCaptcha operators register goodhillsenterprise[.]com on March 27, 2025 and use it as infrastructure for obfuscated PowerShell malware scripts supporting the campaign against Ukraine war relief organizations.
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
-
22.10.2025 19:55 2 articles · 7mo ago
PhantomCaptcha phishing run targets Ukraine war relief organizations
Exploitation ObservedOn October 8, 2025, PhantomCaptcha phishing emails impersonate the Ukrainian President's Office and target members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine office, the Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations with a booby-trapped PDF, fake zoomconference[.]app pages, and a ClickFix-style fake Cloudflare CAPTCHA that tricks victims into running malicious PowerShell and reaching a WebSocket RAT.
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
- Blitz Spear Phishing Campaign Targets NGOs Supporting Ukraine — www.infosecurity-magazine.com — 24.10.2025 15:15
-
22.10.2025 19:55 2 articles · 7mo ago
SentinelOne discloses PhantomCaptcha campaign
Initial DisclosureSentinelOne discloses PhantomCaptcha as a coordinated spear-phishing campaign against Ukraine war relief organizations, describes the WebSocket RAT and Russian-owned infrastructure behind the malware chain, and notes overlap in ClickFix tradecraft with COLDRIVER-linked activity while keeping attribution unattributed.
Show sources
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55
- Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files — thehackernews.com — 22.10.2025 19:55