Ukraine and CERT-UA Document Sandworm CAPTCHA-PowerShell Trick Targeting Ukrainian Users
Another Sandworm-attributed technique lands from CERT-UA — end-user awareness and defender posture review this week for Ukraine-adjacent organizations.
Another Sandworm-attributed technique lands from CERT-UA — end-user awareness and defender posture review this week for Ukraine-adjacent organizations.
KYIV — CERT-UA, the Computer Emergency Response Team of Ukraine, on or about July 16, 2026 documented a technique used by the Russia-linked Sandworm cluster in which Ukrainian users are presented with a fake CAPTCHA and, instead of completing a normal human-verification check, are reportedly instructed to paste a PowerShell command into their Windows systems. According to reporting by The Record, the fake verification page asks the person to run a command themselves rather than to prove they are human in the usual way. The core of the disclosure is behavioral: a deception that is recognizable at the moment of contact, and one that any everyday user can be taught to refuse.
The framing here is defender-facing rather than a breach narrative. CERT-UA's documentation describes a method, an attributed actor, and an audience, and it lands inside a dense, well-documented run of Russia-linked activity that The CyberSignal has tracked across espionage tooling, infrastructure advisories, and formal attributions. What is confirmed is the pattern and the attribution as stated; the specific command delivered, the number of people affected, and several other details are not established at the time of this report.
What CERT-UA Documented
According to reporting by The Record, CERT-UA documented a technique attributed to the Sandworm cluster in which a target encounters what looks like a routine CAPTCHA — the everyday human-verification prompt people expect to click through on the web — but the page reportedly instructs the user to paste a PowerShell command instead of verifying they are human. The essential move is that the person is walked through running a command on their own Windows machine, so the technique depends on the user's own trusted action rather than on an exotic vulnerability or a silent exploit.
Two things make this worth documenting for defenders. First, the deception is legible: it asks the user to do something a genuine CAPTCHA never asks for. A real human-verification step does not require anyone to open a terminal, copy text, and execute it. That single tell is the whole defense, and it is teachable in one sentence. Second, the attribution matters. CERT-UA associated the activity with Sandworm, a long-tracked Russia-linked cluster, which places a consumer-style trick inside a state-level threat picture rather than a run-of-the-mill scam.
The CyberSignal is reporting the technique as CERT-UA documented it and as The Record described it. In keeping with responsible coverage, this article does not reproduce or reconstruct the command or the payload — the point for end users and defenders is the shape of the lure and the action it solicits, not a recipe. Several specifics remain unconfirmed, including the exact command delivered, how many people encountered or acted on the lure, and whether CERT-UA has issued a formal public advisory as opposed to documenting the technique through other channels.
Continuation Context: STOCKSTAY, CERT-UA Phishing, and Recent Russia Attributions
This disclosure does not stand alone. It is the latest entry in a Russia-linked thread The CyberSignal has followed closely. In late June, Google Threat Intelligence Group and Mandiant detailed Turla's STOCKSTAY backdoor used against Ukrainian government and military targets, a modular .NET implant delivered through phishing and compromised infrastructure. Around the same window, CERT-UA and Ukraine's Security Service, working with the FBI, documented a Russian-intelligence campaign phishing messaging-app credentials through fake support texts. The CAPTCHA-PowerShell trick sits alongside those as another user-facing social-engineering method aimed at Ukrainian targets.
It also arrives amid a same-week cadence of allied signaling on Russia-linked activity. In mid-July, the United States, the United Kingdom, and allies issued a joint advisory warning that Russian state-linked actors are targeting critical-infrastructure routers, and the EU and UK formally attributed a cyberattack on Poland's power grid to Russia's Turla cluster. Earlier, Germany publicly blamed Russia for Signal phishing aimed at members of parliament. Read together, these are not isolated headlines but a sustained posture of naming and warning across espionage, infrastructure, and social-engineering fronts.
Sandworm and Turla are distinct clusters with different documented histories — Turla, whose Kazuar lineage reflects a patient espionage bent, is not the same operator as Sandworm — but both fall within the broader Russia-linked activity that Western governments and researchers keep placing near the top of their assessments. For defenders, the value of the continuity is prioritization: an organization with any nexus to Ukraine's government, military, or partners has a concrete reason to weight this thread in its threat model rather than to treat each disclosure as a one-off.
Defender-Team End-User Awareness for Ukraine-Adjacent Organizations
The defensive lesson here is unusually clean because the technique depends on a single human action. A legitimate CAPTCHA is a click, a checkbox, or an image selection; it never asks anyone to open a terminal, paste text, and run it. Teaching users that one rule — no real verification step ever asks you to run a command — closes the path this technique relies on. The awareness message should name the specific deception rather than offer generic anti-phishing advice, because the lure does not arrive as a suspicious link to hover over; it arrives as an instruction to perform an action the user believes is routine.
For teams supporting Ukrainian or Ukraine-adjacent organizations, the concrete steps map directly onto the method. Reinforce that copy-and-run instructions presented by any web page are hostile by default, regardless of how official or routine the page looks. Where operational needs allow, consider constraining or monitoring PowerShell use for standard users, since a paste-and-run technique is far less effective on systems where an ordinary user cannot readily invoke an interactive command interpreter, or where such invocations generate a reviewable signal. Endpoint telemetry that surfaces unexpected PowerShell launches originating from a browser-driven workflow is a durable detection that outlasts any single lure.
The broader point is that user-facing tricks of this shape are not unique to one actor. Paste-a-command and fake-verification social engineering has appeared across multiple campaigns, and CERT-UA's documentation of a Sandworm-attributed version is a reminder to treat the pattern, not just the sample, as the thing to defend against. Whether this specific technique overlaps with any particular named pattern is not confirmed here; what defenders can act on is the behavior — a verification page that asks a Windows user to run a command is a red flag on its own.
Open Questions
Several points remain genuinely open, and the reporting's own restraint is the reason. The specific PowerShell command or payload delivered through the lure is not something this article establishes or reproduces, and the total number of people who encountered or acted on the fake CAPTCHA is not quantified in the material available. Whether the technique overlaps with any specific, separately named social-engineering pattern is likewise unconfirmed, and should be treated as an open question rather than an assumed equivalence.
It is also not confirmed whether CERT-UA issued a formal public advisory on this technique or documented it through other channels, and the distinction matters for defenders deciding how authoritative and complete the guidance is. The CyberSignal is attributing the CAPTCHA-PowerShell technique and the Sandworm association to CERT-UA as reported by The Record, and is not asserting details beyond what has been documented.
What is confirmed is enough to act on now. CERT-UA has documented a Sandworm-attributed technique that shows Ukrainian users a fake CAPTCHA and reportedly steers them into pasting a PowerShell command on their Windows systems, and it lands inside a well-established run of Russia-linked activity aimed at Ukrainian targets. For any Ukraine-adjacent organization, the prudent reading is to assume the lure is in circulation, to teach users that no verification step ever asks them to run a command, and to review whether unexpected PowerShell activity would be visible before, not after, it matters.
The CyberSignal Analysis
The reported facts above are CERT-UA's and the outlet that covered the documentation; what follows is The CyberSignal's editorial reading of what Ukraine-adjacent organizations and the teams that support them should take from them. None of the judgments below are new reported facts.
Signal 01 — The User Is the Execution Engine, and That Is the Whole Point
The most important feature of this technique is that it does not need a vulnerability. By dressing the lure as a CAPTCHA and asking the target to paste and run a command, the method borrows the user's own trust and privileges instead of breaching anything. Our reading is that defenders should treat this class of trick as a human-layer problem first: the control surface is what a user believes is a normal action, not a patch level or a firewall rule.
That reframing changes where the defensive effort goes. Because the person is the one running the command, the highest-leverage controls are the ones that make the deception legible and the action harder to complete — clear, specific user guidance that no verification step ever asks for a command, paired with endpoint constraints and telemetry around interactive command execution. Chasing the exact lure page or command string is a losing race; teaching the tell and instrumenting the behavior is the durable move.
Signal 02 — A Consumer-Style Trick With a State-Level Return Address
It would be easy to file a fake CAPTCHA under low-grade scam territory, but CERT-UA's association of the technique with Sandworm places it in a different bracket. Our assessment is that the significance is precisely the mismatch: a mundane, consumer-familiar lure being used by a Russia-linked cluster against Ukrainian users means the same deception patterns most people associate with adware and fraud are now part of a state-aligned toolkit.
For defenders, the practical consequence is that user-awareness training and nation-state threat modeling are no longer separate conversations for Ukraine-adjacent organizations. The person most likely to encounter this lure is an ordinary user, not a specialist, which means the front line of a state-linked technique is the general workforce. Weighting basic, specific awareness for that audience is not a soft control here — it is the control that most directly addresses the documented method.
Signal 03 — Read It as One More Beat in a Sustained Russia-Linked Cadence
This documentation did not arrive in isolation. It sits beside Turla's STOCKSTAY disclosure, a CERT-UA credential-phishing finding, a joint allied router advisory, and a formal EU/UK attribution over Poland's power grid — all within a compressed window. Our reading is that the cadence itself is the signal: Russia-linked activity against Ukraine and its partners is being documented and named across multiple fronts, quickly and repeatedly.
The forward-looking interpretation is that Ukraine-adjacent defenders benefit most when they connect these dots rather than react to each in isolation. An organization that treats the espionage tooling, the credential phishing, the infrastructure advisories, and this social-engineering technique as one body of Russia-focused guidance can build a coherent threat model and posture, instead of a series of one-week spikes in attention that fade with each news cycle.