216.73.217.47

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

· Published 22/10/2025 19:45 · Modified 23/10/2025 13:07

Export JSON

Essential information

Published
22/10/2025 19:45
Modified
23/10/2025 13:07
Tags
2025-10-22 android captcha coldriver ngos powershell spearphishing ukraine websocket rat
Related entities
1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 3 others

Description

A coordinated campaign targeted and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare page to execute malware. The final payload was a enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.

External references