Find notable cyber news and cases, enriched with sources, timelines, and signals.

PhantomCaptcha spear-phishing campaign targeting Ukraine war relief organizations

Campaign
First reported
Last updated
Happening score
H score 36
2 unique sources, 2 articles

Summary

Hide ▲

PhantomCaptcha was a single-day spear-phishing campaign on October 8, 2025 that targeted Ukraine war relief groups and Ukrainian regional government administrations. The phishing emails impersonated the Ukrainian President's Office and used weaponized PDFs plus a ClickFix-style fake Cloudflare CAPTCHA to trick victims into running malicious PowerShell. The chain delivered a WebSocket RAT from Russian-owned infrastructure that enabled remote command execution, data exfiltration, and potential additional malware deployment.

Related Happenings

Vidar infostealer delivered through TikTok and Instagram Reels

Malware Activity
H score27 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign
H score39 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
H score33 First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

North American cryptocurrency company hit by network compromise

Incident
H score31 First: 28.04.2026 11:00 Last: 28.04.2026 11:00 Sources 1

About this happening: A **North American cryptocurrency company** suffered a **multi-stage intrusion** that began on **January 23, 2026**, and the attackers kept access for **66 days**. The foothold ca...

TA416 European government espionage campaign

Campaign
H score32 First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Timeline

  1. 22.10.2025 19:55 1 articles · 8mo ago

    PhantomCaptcha infrastructure registration begins

    Campaign Scope Update

    PhantomCaptcha operators register goodhillsenterprise[.]com on March 27, 2025 and use it as infrastructure for obfuscated PowerShell malware scripts supporting the campaign against Ukraine war relief organizations.

    Show sources
  2. 22.10.2025 19:55 2 articles · 8mo ago

    PhantomCaptcha phishing run targets Ukraine war relief organizations

    Exploitation Observed

    On October 8, 2025, PhantomCaptcha phishing emails impersonate the Ukrainian President's Office and target members of the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine office, the Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations with a booby-trapped PDF, fake zoomconference[.]app pages, and a ClickFix-style fake Cloudflare CAPTCHA that tricks victims into running malicious PowerShell and reaching a WebSocket RAT.

    Show sources
  3. 22.10.2025 19:55 2 articles · 8mo ago

    SentinelOne discloses PhantomCaptcha campaign

    Initial Disclosure

    SentinelOne discloses PhantomCaptcha as a coordinated spear-phishing campaign against Ukraine war relief organizations, describes the WebSocket RAT and Russian-owned infrastructure behind the malware chain, and notes overlap in ClickFix tradecraft with COLDRIVER-linked activity while keeping attribution unattributed.

    Show sources