{"id":3336,"date":"2025-10-23T04:57:13","date_gmt":"2025-10-23T04:57:13","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/10\/23\/phantomcaptcha-campaign-targets-ukraine-relief-organizations\/"},"modified":"2025-10-23T04:57:13","modified_gmt":"2025-10-23T04:57:13","slug":"phantomcaptcha-campaign-targets-ukraine-relief-organizations","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/23\/phantomcaptcha-campaign-targets-ukraine-relief-organizations\/","title":{"rendered":"PhantomCaptcha Campaign Targets Ukraine Relief Organizations"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-4b89efc1-7c47-42dc-a965-88bca51fb445\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A coordinated phishing campaign aimed at humanitarian and government organizations supporting Ukraine\u2019s war relief efforts has been uncovered by cybersecurity researchers.\u00a0<\/p>\n<p>The operation, known as \u201cPhantomCaptcha,\u201d\u00a0impersonated the Ukrainian President\u2019s Office to trick victims into downloading malware through a malicious PDF document.<\/p>\n<p>According to a new advisory by SentinelLABS and the Digital Security Lab of Ukraine published today, the attack began on October 8\u00a02025, when targeted employees from the International Red Cross, UNICEF, the Norwegian Refugee Council and several Ukrainian regional administrations received phishing emails.\u00a0<\/p>\n<p>These messages contained an eight-page PDF masquerading as an official government memo. Once opened, the document directed users to a fake Zoom site, <em>zoomconference[.]app<\/em>, which hosted malicious scripts on infrastructure owned by a Russian provider.<\/p>\n<p>Victims were presented with what appeared to be a Cloudflare verification page. The page prompted them to perform several actions that ultimately executed a PowerShell command, allowing attackers to install malware onto their systems.<\/p>\n<p>This technique, known as \u201cClickFix\u201d\u00a0or \u201cPaste and Run,\u201d\u00a0relies on users unknowingly running commands themselves, bypassing standard security checks.<\/p>\n<p>The malware operated in three separate stages:<\/p>\n<ul>\n<li>\n<p><strong>Stage 1:<\/strong> A heavily obfuscated downloader script exceeding 500KB that retrieved additional payloads<\/p>\n<\/li>\n<li>\n<p><strong>Stage 2:<\/strong> A reconnaissance module gathering system identifiers, usernames and domain information<\/p>\n<\/li>\n<li>\n<p><strong>Stage 3:<\/strong> A WebSocket-based remote access Trojan (RAT) enabling command execution and data exfiltration<\/p>\n<\/li>\n<\/ul>\n<p>Researchers noted the infrastructure was active for just one day, reflecting a deliberate strategy to evade detection. However, backend servers remained online to manage infected devices.<\/p>\n<p><em>Read more on malware delivery techniques and social engineering trends: AI-Driven Social Engineering Top Cyber Threat for 2026, ISACA Survey Reveals<\/em><\/p>\n<p>Further analysis linked PhantomCaptcha to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage\u00a0services.<\/p>\n<p>One such domain, <em>princess-mens[.]click<\/em>, distributed an app called <em>princess.apk<\/em>, which collected contacts, media, SIM data and location details from infected devices. Although connected, this mobile vector is being tracked as a separate activity cluster.<\/p>\n<p>\u201cThe PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,\u201d\u00a0SentinelLABS said.<\/p>\n<p>\u201cThe six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.\u201d<\/p>\n<p>To defend against this threat, the company advised users to remain cautious of instructions requiring them to paste commands into Windows Run dialogs.<\/p>\n<p>Organizations should also monitor PowerShell activity, enforce execution policy restrictions and track suspicious WebSocket connections, particularly those associated with newly registered or impersonated domains.<\/p>\n<\/p><\/div>\n<p>Image\u00a0credit: rospoint \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A coordinated phishing campaign aimed at humanitarian and government organizations supporting Ukraine\u2019s war relief efforts has been uncovered by cybersecurity researchers.\u00a0 The operation, known as \u201cPhantomCaptcha,\u201d\u00a0impersonated the Ukrainian President\u2019s Office to trick victims into downloading malware through a malicious PDF document. According to a new advisory by SentinelLABS and the Digital Security Lab of Ukraine<\/p>\n","protected":false},"author":2,"featured_media":3337,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3336-da5eca1c-96ee-4f27-844b-c61a2dcc00a6-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3336"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3336\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3337"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}