Cybersecurity researchers have revealed details about a sophisticated phishing campaign called PhantomCaptcha, which targeted organizations involved in humanitarian aid efforts in Ukraine. This attack, which took place on October 8, 2025, targeted members of the International Red Cross, the Norwegian Refugee Council, and UNICEF’s office in Ukraine, among others.
Beware of your Zoom!
The emails used in the campaign impersonated the Office of the President of Ukraine, sending malicious PDF documents that redirected users to a fake Zoom site. This site, ‘zoomconference.app’, was only operational for one day, indicating a meticulous approach to the operational security of the attackers.
By clicking on the link, the victims were taken to a fake Cloudflare CAPTCHA page, designed to execute malicious PowerShell commands. This technique, known as ClickFix, acted as an intermediary to establish a WebSocket connection with a server controlled by the attackers, thus allowing the execution of remote commands and data exfiltration.
The malware, which includes an obfuscated downloader, facilitates the acquisition of a second payload, capable of performing reconnaissance on the compromised system. Through the WebSocket connection, attackers can send and receive commands from a remote server, granting them arbitrary access to the affected device.
The campaign was planned since March 2025, demonstrating a high operational capacity and a strong commitment to security. Although it has not been attributed to any known group, similarities have been observed with techniques used by hacker groups linked to Russia, such as COLDRIVER, leaving speculations about its origins open. Observers suggest that this type of infrastructure reflects not only offensive skills but also a deep understanding of evading defensive detection.