Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WebSocket RAT remote access trojan with WebSocket C2

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

On October 8, 2025, a WebSocket RAT was delivered through the PhantomCaptcha phishing chain, giving operators remote command execution and data exfiltration capability on compromised Windows hosts. The malware’s WebSocket C2 and staged PowerShell execution make the payload a flexible backdoor for interactive post-compromise control. The activity also raised the risk of additional malware deployment after initial access.

Related Happenings

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

Storm-0249 SentinelOne EDR abuse for stealthy malware execution

Malware Activity
First: 09.12.2025 17:24 Last: 09.12.2025 17:24 Sources 1

About this happening: **Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...

Open Happening

JackFix ClickFix fake-adult-site phishing campaign

Campaign
First: 25.11.2025 16:18 Last: 25.11.2025 16:18 Sources 1

About this happening: The **JackFix** campaign is using **fake adult websites** and **ClickFix** lures to trick users into running malicious commands, enabling an infection chain that can drop **steale...

Open Happening

ClickFix variants delivering LummaC2 and Rhadamanthys

Malware Activity
First: 24.11.2025 22:42 Last: 24.11.2025 22:42 Sources 1

About this happening: Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...

Open Happening

ShadowPad malware deployed via WSUS exploitation

Malware Activity
First: 24.11.2025 09:18 Last: 24.11.2025 09:18 Sources 1

About this happening: **ShadowPad** was **downloaded and installed** on **Windows Server WSUS** systems after attackers exploited **CVE-2025-59287**, extending the impact of the flaw beyond initial acc...

Open Happening

Timeline

  1. 22.10.2025 19:55 1 articles · 7mo ago

    PhantomCaptcha infrastructure prepared with domain registration

    Campaign Scope Update

    On March 27, 2025, attackers registered goodhillsenterprise[.]com and used it to serve obfuscated PowerShell malware scripts, indicating campaign preparation before the later phishing activity against Ukraine war relief targets.

    Show sources
    Open in new tab
  2. 22.10.2025 19:55 2 articles · 7mo ago

    PhantomCaptcha phishing delivers WebSocket RAT through fake Zoom and Cloudflare pages

    Exploitation Observed

    On October 8, 2025, phishing emails impersonated the Ukrainian President's Office and delivered a booby-trapped PDF that redirected victims to zoomconference[.]app and a fake Cloudflare CAPTCHA page, where malicious PowerShell execution led to a staged downloader, second-stage reconnaissance, and a WebSocket RAT using wss://bsnowcommunications[.]com:80 for command-and-control.

    Show sources
    Open in new tab
  3. 22.10.2025 19:55 1 articles · 7mo ago

    Researchers disclose PhantomCaptcha spear-phishing campaign and WebSocket RAT

    Initial Disclosure

    On October 22, 2025, security researchers disclosed PhantomCaptcha as a coordinated spear-phishing campaign against organizations linked to Ukraine's war relief efforts, describing a remote access trojan with WebSocket command-and-control, arbitrary command execution, data exfiltration, and potential additional malware deployment.

    Show sources
    Open in new tab