SentinelLABS uncovered a sophisticated spearphishing campaign called “PhantomCaptcha” targeting humanitarian and government organizations in Ukraine, involving fake verification pages and weaponized PDFs. The attack utilized multi-stage PowerShell payloads and WebSocket RATs to establish stealthy command and control infrastructure, with overlaps linked to Russian threat clusters like COLDRIVER. #PhantomCaptcha #COLDRIVER
Keypoints
- The campaign targeted Ukrainian humanitarian and government agencies using impersonation and weaponized PDFs.
- Attackers employed fake Cloudflare verification pages to mislead victims into executing malware.
- The infection chain involved highly obfuscated PowerShell scripts across three stages for stealth and persistence.
- The WebSocket-based RAT allowed remote command execution and data exfiltration from compromised hosts.
- Related mobile malware targeted Android devices, harvesting extensive personal data with socially engineered lures.