A previously undocumented cyber threat actor has been tied to malware attacks against Ukrainian organizations using a strain known as CANFAIL, according to Google Threat Intelligence Group (GTIG).
GTIG notes that this group is likely connected to Russian intelligence services and has primarily targeted defense, military, government, and energy entities within Ukraine at both regional and national levels.
The actor has also expanded focus to aerospace organizations, manufacturing firms involved with military and drone technology, nuclear and chemical research institutions, and international organizations monitoring conflicts or providing humanitarian aid in Ukraine.
“Although less sophisticated and resource-limited compared to other Russian threat groups, this actor has recently leveraged large language models (LLMs) to overcome some technical constraints,” GTIG explained. “They use prompting for reconnaissance, crafting social engineering lures, and solving basic technical challenges related to post-compromise operations and command-and-control infrastructure setup.”
Attack Tactics and Techniques
- Phishing Campaigns: The group impersonates legitimate Ukrainian national and local energy organizations to access both organizational and personal email accounts.
- Masquerading Operations: They have posed as a Romanian energy company servicing Ukraine, targeting Romanian firms, and conducting reconnaissance on Moldovan organizations.
- Email and Lure Creation: Customized email lists are generated per region and industry using LLM research, embedding Google Drive links that point to RAR archives containing CANFAIL malware.
- CANFAIL Malware Characteristics: Disguised with double extensions (*.pdf.js), CANFAIL is an obfuscated JavaScript malware that executes a PowerShell script to deploy a memory-only PowerShell dropper while displaying a fake error message to the victim.
- PhantomCaptcha Connection: GTIG linked the actor to the PhantomCaptcha campaign, previously reported by SentinelOne SentinelLABS in October 2025. This campaign targeted Ukrainian war relief organizations using phishing emails that direct recipients to fake pages with ClickFix-style instructions, delivering a WebSocket-based trojan.
Google emphasizes that this emerging actor represents a growing threat vector in the Ukrainian cyber landscape, combining social engineering, malware sophistication, and AI-assisted reconnaissance to expand operational reach.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
