PhantomCaptcha

PhantomCaptcha is a coordinated spearphishing malware campaign and associated multi-stage PowerShell/WebSocket RAT chain reported by SentinelLABS and the Digital Security Lab of Ukraine. It targeted humanitarian organizations and Ukrainian government entities involved in war relief efforts, including the International Committee of the Red Cross, UNICEF Ukraine, the Norwegian Refugee Council, the Council of Europe’s Register of Damage for Ukraine, and regional administrations in Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk. The operation was observed on October 8, 2025, after roughly six months of infrastructure preparation, with the user-facing lure infrastructure active for only about 24 hours.

Initial access used spearphishing emails impersonating the Ukrainian President’s Office and delivering a weaponized 8-page PDF lure (SHA-256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3). The PDF redirected victims to zoomconference[.]app, a Zoom lookalike domain hosted at 193.233.23[.]81 on infrastructure described as a VPS in Finland owned by Russian provider KVMKA. The site displayed a fake Cloudflare CAPTCHA and used a ClickFix/Paste-and-Run technique: victims were instructed to copy a token and paste it into the Windows Run dialog, which invoked conhost.exe to launch hidden PowerShell with ExecutionPolicy Bypass.

The malware chain consisted of three PowerShell stages. Stage 1, an obfuscated downloader named cptch (SHA-256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44), downloaded Stage 2 from hxxps://bsnowcommunications[.]com/maintenance. Stage 2 (SHA-256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566) fingerprinted the host by collecting computer name, domain, username, PID, and system UUID; XOR-encrypted the data with key b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l; transmitted it via HTTP GET to bsnowcommunications[.]com/maintenance/<data>; and disabled PowerShell history logging with Set-PSReadlineOption -HistorySaveStyle SaveNothing. It then received and decrypted Stage 3 in memory. Stage 3 (SHA-256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23) was a lightweight WebSocket RAT/backdoor connecting to wss://bsnowcommunications[.]com:80, receiving Base64-encoded JSON tasks, executing commands via Invoke-Expression or asynchronous PowerShell runspaces, and exfiltrating command output plus host context including working directory, UUID/HWID, PID, and an IDC value. It included reconnect logic in an infinite loop.

Reported capabilities include arbitrary remote command execution, live remote access, host fingerprinting, data exfiltration, and potential deployment of additional malware. Related infrastructure included bsnowcommunications[.]com at 185.142.33[.]131 and goodhillsenterprise[.]com associated with 45.15.156[.]24, which researchers assessed with medium confidence as actor-controlled. A follow-on domain, zoomconference[.]click, was registered on October 9, 2025.

Researchers reported overlaps with activity attributed by peers to COLDRIVER / Star Blizzard, a Russian FSB-linked espionage cluster, and multiple summaries note possible links to Russian-owned or Russia-linked infrastructure. However, the reporting also states attribution for PhantomCaptcha remains under investigation and was not confirmed. Infrastructure pivots also identified a likely related Android malware cluster distributed via fake apps, including princess-mens[.]click, with APKs described as collecting contacts, call logs, installed apps, SIM and device/network data, Wi-Fi SSID, location, public IP, and gallery images, and communicating over HTTPS on port 5000 to paths such as /check_update, /data, and /upload.