Cybersecurity researchers have disclosed comprehensive details of a sophisticated spear-phishing campaign, officially dubbed PhantomCaptcha, which specifically targeted organizations engaged in Ukraine’s vital war relief efforts. This coordinated cyber attack, with activity recorded on October 8, 2025, aimed to deploy a potent remote access trojan (RAT) using highly deceptive methods. The findings were made public on October 22, 2025, in a new report from SentinelOne, highlighting a significant threat to critical humanitarian and governmental entities.

Targeted Entities and Elaborate Deception

The PhantomCaptcha campaign meticulously targeted individual members across a spectrum of crucial organizations. These included the International Red Cross, the Norwegian Refugee Council, the United Nations Children’s Fund (UNICEF) Ukraine office, and the Council of Europe’s Register of Damage for Ukraine. Furthermore, the campaign extended its reach to Ukrainian regional government administrations located in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions. The attackers’ initial vector involved sending highly convincing phishing emails, designed to impersonate the Ukrainian President’s Office, thereby leveraging trust to execute their malicious intent.

Attack Mechanics and Malware Delivery

Each spear-phishing email contained a booby-trapped PDF document, a critical component of the attack chain. This PDF document embedded a malicious link, engineered to trigger the next stage of the compromise. When victims clicked this link, they were deceptively redirected to a meticulously crafted fake Zoom website, identified by the domain “zoomconference[.]app.” This fraudulent site served as the platform to trick users into inadvertently executing the remote access trojan. The delivered RAT utilizes a WebSocket for its command-and-control (C2) communications, a detail confirmed by SentinelOne’s comprehensive analysis. This disclosure provides essential insights into the technical sophistication employed by the PhantomCaptcha campaign.

Source: https://thehackernews.com/2025/10/ukraine-aid-groups-targeted-through.html