PhantomCaptcha Ukrainian war-relief spearphishing campaign
Campaign
Summary
Hide ▲
Show ▼
PhantomCaptcha was a one-day spearphishing campaign on October 8, 2025 that targeted Ukraine war-relief organizations and Ukrainian regional government administrations. Attackers used emails impersonating the Ukrainian President’s Office, weaponized PDFs, and a ClickFix-style fake Cloudflare CAPTCHA to make victims run commands. The chain delivered a WebSocket RAT from Russian-owned infrastructure capable of remote command execution, data exfiltration, and additional malware deployment.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
Campaign
First: 01.05.2026 17:02
Last: 01.05.2026 17:02
Sources 1
About this happening:
**SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets
CampaignAbout this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...
TA416 European government espionage campaign
Campaign
First: 01.04.2026 15:05
Last: 01.04.2026 15:05
Sources 1
About this happening:
TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
TA416 European government espionage campaign
CampaignAbout this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...
Latest development: 03.04.2026 20:34
TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.
Dust Specter Iraq Foreign Affairs AI impersonation campaign
Campaign
First: 03.03.2026 12:30
Last: 03.03.2026 12:30
Sources 1
About this happening:
**Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
CampaignAbout this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
Campaign
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters
CampaignAbout this happening: The **CRESCENTHARVEST** campaign is using **malicious .LNK files** and social engineering to target **supporters of Iran's ongoing protests** for **information theft** and **long-...
Timeline
-
22.10.2025 16:37 1 articles · 7mo ago
PhantomCaptcha spearphishing and ClickFix execution
Exploitation ObservedPhantomCaptcha targeted the Ukrainian regional government administration and war-relief organizations with spearphishing emails impersonating the Ukrainian President’s Office, malicious PDF attachments, and a link to zoomconference[.]app posing as a Zoom communication platform. Victims who followed the fake Cloudflare CAPTCHA and copied the prompted token into the Windows Command Prompt triggered a PowerShell command that downloaded the cptch script and delivered a second-stage reconnaissance utility and a WebSocket RAT for remote command execution and data exfiltration.
Show sources
- PhantomCaptcha ClickFix attack targets Ukraine war relief orgs — www.bleepingcomputer.com — 22.10.2025 16:37
-
22.10.2025 16:37 3 articles · 7mo ago
PhantomCaptcha campaign disclosure and analysis
Technical Analysis UpdateSentinelLABS disclosed PhantomCaptcha as a one-day campaign that started and ended on October 8, 2025, targeting the Ukrainian regional government administration, the International Committee of the Red Cross, UNICEF, and other war-relief organizations. The analysis noted that some operation domains were registered at the end of March, that the WebSocket RAT was hosted on Russian infrastructure, and that the campaign may be related to a later operation in Lviv, Ukraine, using adult-themed Android APKs or cloud storage tools.
Show sources
- PhantomCaptcha ClickFix attack targets Ukraine war relief orgs — www.bleepingcomputer.com — 22.10.2025 16:37
- PhantomCaptcha ClickFix attack targets Ukraine war relief orgs — www.bleepingcomputer.com — 22.10.2025 16:37
- Blitz Spear Phishing Campaign Targets NGOs Supporting Ukraine — www.infosecurity-magazine.com — 24.10.2025 15:15