Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children's Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.

The phishing emails have been found to impersonate the Ukrainian President's Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site ("zoomconference[.]app") and tricks them into running a malicious PowerShell command via a ClickFix-style fake Cloudflare CAPTCHA page under the guise of a browser check.

The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier.

It's suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation.

The PowerShell command executed after it's pasted to the Windows Run dialog leads to an obfuscated downloader that's primarily responsible for retrieving and executing a second-stage payload from a remote server. This second-stage malware performs reconnaissance of the compromised host and sends it to the same server, which then responds with the PowerShell remote access trojan.

"The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware," security researcher Tom Hegel said. "The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host."

The malware connects to a remote WebSocket server at "wss://bsnowcommunications[.]com:80" and is configured to receive Base64-encoded JSON messages that include a command to be executed with Invoke-Expression or run a PowerShell payload. The results of the execution are subsequently packaged into a JSON string and sent to the server over the WebSocket.

Further analysis of VirusTotal submissions has determined that the 8-page weaponized PDF has been uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia, likely indicating broad targeting.

SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain "goodhillsenterprise[.]com," which has been used to serve the obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with "zoomconference[.]app" is said to have been active only for a single day on October 8.

This suggests "sophisticated planning and strong commitment to operational security," the company pointed out, adding it also uncovered fake applications hosted on the domain "princess-mens[.]click" that are aimed at collecting geolocation, contacts, call logs, media files, device information, installed apps list, and other data from compromised Android devices.

The campaign has not been attributed to any known threat actor or group, although the use of ClickFix overlaps with that of recently disclosed attacks mounted by the Russia-linked COLDRIVER hacking group.

"The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control," SentinelOne said.

"The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.