PhantomCaptcha RAT Uses Weaponized PDFs and “ClickFix” Cloudflare CAPTCHA Pages to Deliver Malware

A sophisticated spearphishing campaign has targeted humanitarian organizations working on Ukrainian war relief efforts, employing weaponized PDFs and fake Cloudflare captcha pages to deploy a custom remote access trojan.

The PhantomCaptcha campaign, launched on October 8th, 2025, specifically targeted individual members of the International Committee of the Red Cross, United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, and Council of Europe’s Register of Damage for Ukraine.

Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions also received malicious communications disguised as legitimate governmental documents.

SentinelLABS and the Digital Security Lab of Ukraine uncovered the coordinated attack, which impersonated the Ukrainian President’s Office to compromise critical aid organizations.

Threat actors distributed an eight-page weaponized PDF (SHA-256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3) through emails impersonating Ukraine’s Presidential Office.

VirusTotal submissions revealed the malicious file was uploaded from multiple countries including Ukraine, India, Italy, and Slovakia ...