{"id":223805,"date":"2025-10-23T04:15:50","date_gmt":"2025-10-23T09:15:50","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/10\/ukraine-aid-groups-targeted-through-fake-zoom-meetings-and-weaponized-pdf-files"},"modified":"2025-10-23T04:15:50","modified_gmt":"2025-10-23T09:15:50","slug":"ukraine-aid-groups-targeted-through-fake-zoom-meetings-and-weaponized-pdf-files","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/10\/ukraine-aid-groups-targeted-through-fake-zoom-meetings-and-weaponized-pdf-files","title":{"rendered":"Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files"},"content":{"rendered":"

<\/a><\/p>\n

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha<\/strong> targeting organizations associated with Ukraine\u2019s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).<\/p>\n

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children\u2019s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe\u2019s Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said<\/a> in a new report published today.<\/p>\n

The phishing emails have been found to impersonate the Ukrainian President\u2019s Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site (\u201czoomconference[.]app\u201d) and tricks them into running a malicious PowerShell command via a ClickFix<\/a>-style<\/a> fake Cloudflare CAPTCHA page under the guise of a browser check.<\/p>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine\u2019s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2). The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,1490],"tags":[],"class_list":["post-223805","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-government"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/223805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=223805"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/223805\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=223805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=223805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=223805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}