UNICEF, the International Committee of the Red Cross, and other organizations part of the Ukraine war relief effort, as well as Ukrainian regional government administration members, have been subjected to a one-day spear-phishing attack spreading the WebSocket RAT malware, according to BleepingComputer.
Threat actors behind the PhantomCaptcha ClickFix campaign distributed Ukrainian President's Office-spoofing emails with illicit PDF attachments that included a link redirecting to a fraudulent Zoom domain, a report from SentinelOne SentinelLabs researchers revealed.
Clicking on the link also facilitated the creation of a client identifier delivered to the attacker's server that could allow live social engineering calls with targets, who were also lured to complete bogus CAPTCHA verification and copy-paste a "token" in Windows Command Prompt.
Such action then triggered PowerShell command execution, running a script that eventually led to WebSocket RAT deployment. WebSocket RAT enabled the exfiltration of real-time location, contact lists, call logs, and images.
The findings come after Russian state-backed hacking group ColdRiver was reported by Google Threat Intelligence Group researchers to have used fake CAPTCHA challenges to deliver new malware strains.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds