In early October, several humanitarian groups and Ukrainian regional governments were targeted in a coordinated spear-phishing attempt designed not just to steal data but to turn their machines into intelligence-gathering tools.
The operation, dubbed PhantomCaptcha by researchers at SentinelLABS, illustrates the evolution of modern cyber conflict — specifically the blending of social engineering, technical sophistication and geopolitical objectives.
“This particular story began through a collaboration with the Digital Security Lab of Ukraine,” Tom Hegel, a threat researcher at SentinelLABS, told TechInformed. “They support individuals and organizations working on issues like documenting war crimes and supporting Ukrainian citizens.”
“They alerted us after one of their users was targeted by suspicious phishing emails, and that’s where our deeper investigation started.”
Weaponized trust
Targets included members of the International Committee of the Red Cross, UNICEF’s Ukraine office, the Norwegian Refugee Council and several Ukrainian regional administrations in Donetsk, Dnipropetrovsk, Poltava and Mykolaiv.
Victims received emails impersonating the Ukrainian president’s office, each carrying an eight-page PDF attachment crafted to resemble an official government communiqué. Embedded inside was a link leading to a fake Zoom meeting page.
The site, hosted on a server owned by a Russian provider, displayed what looked like a standard Cloudflare DDoS protection page — a visual cue that most internet users now instinctively trust.
“What makes this work is simple,” Hegel explained. “People are so used to seeing CAPTCHA challenges that they rarely question them. When something looks familiar, it feels legitimate.”
Victims who clicked the simulated “I’m not a robot” box were shown instructions in Ukrainian telling them to copy a “verification token,” press Windows + R and paste the copied text into the Run dialog. The “token” was, in fact, a hidden PowerShell command that launched the infection chain.
“This is what makes it so effective,” Hegel said. “The malicious code is executed by the user themselves, which helps it evade traditional endpoint controls.”
A three-stage infection
The first stage was a heavily obfuscated PowerShell script, more than 500 KB in size, designed primarily to download the next stage from attacker infrastructure.
This second stage fingerprinted the infected machine, quietly collecting computer and domain names, username, process ID and a unique hardware identifier. It encrypted that data and sent it to a remote server, while also disabling PowerShell history logging to thwart post-incident forensics.
The final payload was a WebSocket-based Remote Access Trojan (RAT) — effectively a remote shell that gave the attackers the ability to execute arbitrary commands, run additional PowerShell code, exfiltrate files and maintain ongoing access.
Six months of silence, one day of action
According to Hegel, the attackers spent months laying the groundwork — registering domains, acquiring SSL certificates, testing malware — only to make the visible infrastructure active for roughly 24 hours on Oct. 8, 2025.
“Sophisticated actors often prepare infrastructure months in advance,” Hegel explained. “They’ll register domains and let them sit dormant. If a domain has existed quietly for six months, it appears more legitimate and is harder to detect.”
Researchers later identified additional “backend” infrastructure that remained active, suggesting a compartmentalized design that protected core command systems even as front-end phishing domains were shut down.
From laptops to phones
During infrastructure analysis, researchers uncovered a troubling second front: a mobile campaign running in parallel.
Domains linked to the phishing operation were serving malicious Android applications disguised as legitimate tools or entertainment apps.
One strain requested extensive permissions and quietly harvested real-time GPS location, contacts, photos, Wi-Fi network names and device and SIM card information.
“This was more dangerous,” Hegel said. “Mobile devices allow much more precise, real-time geolocation tracking.”
In war zones and humanitarian contexts, that kind of data can have physical, life-threatening consequences.
An early warning for business
Although NGOs and Ukrainian institutions were the initial focus, researchers said similar techniques often spread later to enterprise environments.
“These kinds of targets often attract more sophisticated attackers before those same techniques are used against large enterprises,” Hegel said. “In that sense, they act as an early warning signal for what businesses might soon face.”
“Rather than relying on simple indicators like ‘this domain is new,’ organizations should focus on behavioral detection,” he said. “A PDF opens a link to an unusual domain. That domain tries to download code. These chained actions tell a much stronger story.”
A new face of conflict
“This is what modern conflict looks like,” Hegel said. “Cyber, drones, surveillance — all interconnected.”
SentinelLABS has not publicly attributed PhantomCaptcha to a named group. However, the operation report notes that technical fingerprints, infrastructure choices and targeting patterns point strongly toward Russian-aligned interests.
The campaign was ultimately disrupted before researchers saw evidence of large-scale exploitation. But SentinelLABS said the incident shows how close seemingly routine digital interactions — opening a document, clicking a CAPTCHA, joining a meeting — can come to transforming everyday machines into silent intelligence-gathering assets.