Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PhantomCaptcha WebSocket RAT PowerShell delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

PhantomCaptcha delivered a WebSocket RAT on October 8 through a multi-stage PowerShell chain that let operators run commands, exfiltrate data, and load more malware. The payload relied on a ClickFix-style fake CAPTCHA and weaponized PDFs to push victims into executing the code themselves, reducing file-based detection. The second stage gathered host details such as computer name and domain information, then sent them to attacker infrastructure. The final backdoor maintained repeated connections to wss://bsnowcommunications[.]com:80, preserving remote access after delivery.

Related Happenings

Dohdoor backdoor activity on Windows endpoints

Malware Activity
First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

QWCrypt and RedLoader multi-stage ransomware activity

Malware Activity
First: 09.12.2025 11:35 Last: 09.12.2025 11:35 Sources 1

About this happening: The **QWCrypt** ransomware chain now matters because it has reached **successful deployment** in at least **three attacks**, using **RedLoader** and a customized **Terminator** to...

Open Happening

Timeline

  1. 24.10.2025 15:15 2 articles · 7mo ago

    PhantomCaptcha spear phishing delivers a WebSocket RAT through a fake Cloudflare CAPTCHA

    Exploitation Observed

    On October 8, 2025, a single-day spear phishing campaign targeted Ukraine aid groups and Ukrainian regional government administrations with weaponized PDFs that impersonated the Ukrainian President’s Office, redirected victims through a fake Cloudflare CAPTCHA page, and used user-triggered PowerShell execution to deliver a multi-stage payload culminating in a WebSocket remote access Trojan.

    Show sources
    Open in new tab
  2. 24.10.2025 15:15 1 articles · 7mo ago

    SentinelOne report identifies Ukraine aid groups and regional administrations as PhantomCaptcha targets

    Initial Disclosure

    On October 22, 2025, SentinelOne identified individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, the Council of Europe’s Register of Damage for Ukraine, and Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava and Mikolaevsk regions as targets of PhantomCaptcha.

    Show sources
    Open in new tab