A recent, highly coordinated cyberattack, codenamed “PhantomCaptcha,” targeted several major humanitarian and government groups supporting war relief efforts in Ukraine, according to new research from SentinelLABS.
The organisations targeted in this cyber attack included the International Red Cross, UNICEF, the Norwegian Refugee Council, and Ukrainian government administrations in regions like Donetsk and Dnipropetrovsk, among others.
The research, conducted in collaboration with the Digital Security Lab of Ukraine, reveals a clever operation launched on October 8th, 2025. The attackers spent six months preparing infrastructure for an attack that was only active for a single day.
Such rapid setup and shutdown suggest very skilled operators trying hard to avoid detection. Researchers noted the attack chain has similarities with the activity of COLDRIVER, a threat group linked to Russia’s FSB intelligence agency.
Fake Emails and a Tricky Trap
The attack began with official-looking emails from the Ukrainian President’s Office, which included a malicious PDF. Clicking a link in the PDF directed victims to zoomconference.app, a domain appearing as a legitimate Zoom site. This domain, hosted on a Russian-provider-owned server in Finland, presented a fake Cloudflare captcha page. This was a trap to trick people into downloading a secret spying tool.
Further probing revealed that users were instructed in Ukrainian to copy a “token” and paste it into the Windows Run box to execute a hidden command. This technique, sometimes called Paste and Run or ClickFix, is dangerous because it makes the user unknowingly run the malicious code, often bypassing regular security software.
The spying tool is a multi-stage WebSocket-based remote Access Trojan (RAT) hosted on infrastructure linked to Russia, capable of giving attackers remote control over the victim’s computer to steal data.
Long Planning, Short Operation
The attackers’ planning was quite meticulous, showing a “high level of operational planning,” as SentinelLABS researchers explained in the blog post shared exclusively with Hackread.com. The main attack lasted only 24 hours, with user-facing websites quickly taken down. However, the command-and-control (C2) servers remained active to maintain control of any compromised systems.
Such “highly targeted, short-lived” campaigns, the researchers note, show that cyber operations against relief groups are persistent and constantly growing, aiming to collect sensitive information. The preparation and swift takedown point to an operator who understands both attack and evasion techniques.
It is worth noting that the researchers also found a potential link to a separate mobile campaign involving fake Android apps. Some were disguised as adult entertainment (like the “Princess Men’s Club” theme) or cloud storage, designed to steal a wide range of personal information, including users’ location, SIM card details, contacts, photos, and a list of installed apps.
Attacks like this show relief organisations are direct targets. Staff should treat unexpected messages as malicious. Never paste unknown tokens into the Run box. If a machine behaves oddly, take it offline and have it examined.
Report incidents to your national CERT and partners, rotate any exposed credentials, and run full scans and forensic checks. Tighten basic controls such as multi-factor authentication and limited admin rights. These steps stop many attacks before they can spread.
