A sophisticated spearphishing campaign has emerged targeting humanitarian organizations and Ukrainian government agencies, leveraging weaponized PDF attachments and fake Cloudflare verification pages to distribute a dangerous WebSocket-based remote access trojan.

The operation, first uncovered in early October 2025, demonstrates a remarkable level of operational planning and infrastructure compartmentalization, with the threat actors maintaining their campaign for six months before executing their strike.

The campaign specifically targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF, and regional government administrations across Ukraine, using emails impersonating the Ukrainian President’s Office.

When recipients opened the malicious PDF and clicked the embedded link, they were directed to a convincing fake Cloudflare DDoS protection gateway that appeared to be a legitimate security verification page.

The attackers had registered the domain zoomconference.app to mimic a legitimate Zoom conference service, hosting the malicious infrastructure on Russian-owned VPS servers in Finland.

The sophistication of this operation extends beyond its initial deception tactics. SentinelLABS researchers identified that the attackers maintained their infrastructure for only 24 hours before shutting down the public-facing domains while preserving their backend command-and-control servers, demonstrating professional-grade operational security.

The campaign infrastructure timeline revealed the attackers began operations in March 2025, with SSL certificates issued in September, suggesting meticulous preparation before the October strike.

The ClickFix Infection Mechanism and Multi-Stage Payload Delivery

The core of PhantomCaptcha’s effectiveness lies in its implementation of the ClickFix social engineering technique, a method increasingly adopted by threat actors since mid-2024.

After the fake Cloudflare page loads, victims encounter a simulated reCAPTCHA interface with an “I’m not a robot” checkbox.

Clicking this checkbox triggers a popup containing instructions written in Ukrainian, directing users to copy a token and paste it into the Windows Run dialog using the keyboard shortcut Windows+R.

This seemingly innocuous action executes malicious PowerShell code that initiates the infection chain.

The underlying mechanism relies on a JavaScript function named copyToken() that downloads and executes a PowerShell script.

The attackers distributed three stages of payloads, beginning with a heavily obfuscated 500KB PowerShell downloader that obscured simple download functionality through massive code obfuscation techniques.

The second stage performed comprehensive system reconnaissance, collecting computer names, domain information, usernames, process IDs, and hardware identifiers through system UUID retrieval, encrypting this data using a hardcoded XOR key before transmission.

The final payload delivered a WebSocket-based remote access trojan capable of receiving arbitrary commands encoded in Base64-formatted JSON messages.

This lightweight backdoor connected to remote servers and executed commands using PowerShell’s Invoke-Expression cmdlet, granting attackers complete remote command execution capabilities and data exfiltration access.

The malware disabled PowerShell command history logging to prevent forensic analysis, representing a deliberate effort to cover operational tracks while maintaining persistent access to compromised systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PhantomCaptcha RAT Weaponized PDFs to Deliver Malware Using ‘ClickFix’-Style Cloudflare Captcha Pages appeared first on Cyber Security News.

Email phishing attacks have reached a critical inflection point in 2025, as threat actors deploy increasingly sophisticated evasion techniques to circumvent traditional security infrastructure and user defenses.

The threat landscape continues to evolve with the revival and refinement of established tactics that were once considered outdated, combined with novel delivery mechanisms that exploit gaps in both automated scanning and human vigilance.

Security researchers have documented a marked increase in phishing campaigns that leverage PDF attachments as a primary attack vector, representing a significant shift from conventional hyperlink-based phishing.

Instead of embedding direct phishing links within email bodies, attackers now employ QR codes embedded within PDF documents, a technique that serves dual purposes: evading email filter detection while simultaneously encouraging users to scan codes on mobile devices that typically lack the robust security safeguards present on workstations.

Securelist analysts and researchers noted that PDF-based attacks have evolved further to incorporate encryption and password protection mechanisms.

The passwords may be included within the email itself or transmitted through separate communications, deliberately complicating rapid file scanning by security systems.

From a psychological perspective, this approach lends an air of legitimacy to the malicious communications, mimicking enterprise security protocols and consequently inspiring greater user trust in the fraudulent messages.

Beyond PDF-based attacks, threat actors have reinvigorated calendar-based phishing campaigns that had largely disappeared after 2019.

These attacks function by inserting phishing links within calendar appointment descriptions rather than email bodies, exploiting the fact that calendar applications send reminder notifications that often bypass initial security review processes.

This technique has been particularly effective in targeting business-to-business environments and office workers in 2025.

Advanced Detection Evasion and Multi-Factor Authentication Bypass

The sophistication of phishing infrastructure has reached unprecedented levels, with attackers implementing multi-layered verification systems designed to evade security bots and automated threat detection.

One prominent technique involves deploying CAPTCHA verification chains that repeatedly challenge users to prove their humanity before accessing credential harvesting forms.

These mechanisms serve to frustrate automated analysis while maintaining accessibility for legitimate users.

Researchers identified particularly sophisticated attacks targeting cloud storage services, where malicious pages interact with legitimate APIs in real-time.

These advanced phishing sites relay user credentials to authentic services, creating dynamic verification processes that mirror legitimate authentication flows perfectly.

When users enter credentials on phishing pages, the site communicates directly with the real service, providing genuine error messages and multi-factor authentication prompts.

This approach allows attackers to harvest both passwords and one-time authentication codes, effectively bypassing modern security protections.

The credential harvesting mechanisms themselves have become remarkably convincing, with attackers creating pixel-perfect replicas of legitimate login interfaces, complete with identical branding, default folders, and system imagery.

Once victims have been compromised, attackers gain full account access with minimal detection risk. Organizations must implement comprehensive security training programs while deploying enterprise-grade email filtering solutions capable of detecting these evolving attack methodologies.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Advancing Email Phishing Attacks to Bypass Security Filters appeared first on Cyber Security News.