A sophisticated spearphishing campaign, dubbed PhantomCaptcha, has targeted humanitarian organizations aiding Ukrainian war relief, employing weaponized PDFs and counterfeit Cloudflare captcha pages to deploy a remote access trojan (RAT). Initiated on October 8, 2025, the campaign impersonated communications from Ukraine’s Presidential Office, successfully distributing malware through deceptive emails. The attackers utilized advanced social engineering techniques, prompting victims to execute malicious scripts themselves, thereby bypassing traditional security measures. The infrastructure revealed connections to potential Russian state-sponsored threat actors, highlighting the ongoing cyber warfare tactics aimed at destabilizing humanitarian efforts. This incident underscores the pressing need for enhanced cybersecurity measures within critical sectors, especially amid geopolitical tensions.