EXECUTIVE SUMMARY:
A focused spearphishing campaign targeted organisations supporting wartime relief efforts by delivering a weaponized PDF that lured recipients to a convincing browser verification page. The decoy instructed users to copy and paste a clipboard token which, when executed, launched a multi-stage PowerShell chain leading to the deployment of the PhantomCaptcha RAT. The operation was notable for its precise timing and selectivity — with public lure infrastructure active only briefly while backend servers remained available to manage compromised hosts. The campaign combined language-specific social engineering, minimal exposure time, and compartmentalised tooling to reduce forensic visibility and maximise successful intrusions within a short operational window.
The attack workflow relied on user-initiated execution to bypass automated defences: victims were prompted to paste a clipboard command that ran an obfuscated PowerShell downloader. This downloader retrieved a second script used for reconnaissance and system profiling, disabled local PowerShell logging, and fetched an encrypted in-memory payload. The final stage deployed the PhantomCaptcha Remote Access Trojan (RAT) — a lightweight WebSocket-based backdoor that accepted Base64/JSON commands, executed shell and PowerShell instructions, and returned output along with host identifiers. The RAT provided the attackers with remote control, file management, and data-exfiltration capabilities. Additionally, a mobile variant was discovered, packaged as an Android application that gathered device information, location data, contacts, and media, broadening the threat’s operational scope beyond traditional Windows systems.
The PhantomCaptcha RAT campaign demonstrates the effectiveness of human-driven execution paired with stealthy, memory-resident tooling. By activating lure infrastructure for only a short duration while maintaining persistent backend access, the operators achieved both stealth and sustained control. Although definitive attribution remains unclear, operational patterns suggest a sophisticated and reconnaissance-oriented threat actor. Defenders should educate users to avoid executing clipboard instructions, enforce PowerShell restrictions and application allow-listing, maintain remote log aggregation, and monitor for anomalous WebSocket traffic or unusual mobile permissions. The campaign highlights that well-crafted social engineering combined with a modular RAT remains an efficient method for targeted espionage and data theft.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Reconnaissance | T1589.002 | Gather Victim Identity Information | Email Addresses |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| T1566.002 | Spearphishing Link | ||
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defence Evasion | T1027 | Obfuscated Files or Information | — |
| T1562.002 | Impair Defenses | Disable Windows Event Logging | |
| Credential Access | T1056 | Input Capture | — |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Command and control | T1071.001 | Application Layer Protocols | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| B0011 | Remote Commands | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| Communication Micro-objective | C0002 | HTTP Communication |
REFERENCES:
The following reports contain further technical details: