Google’s Threat Intelligence Group (GTIG) has identified a previously undocumented threat actor believed to be connected to Russian intelligence services, which has been targeting various Ukrainian organizations with malware known as CANFAIL. This group has focused its efforts on defense, military, government, and energy sectors within Ukraine, while also showing interest in aerospace, manufacturing, and international humanitarian organizations.
Targeted Sectors and Techniques
GTIG noted that despite being less sophisticated than other Russian threat groups, this actor has begun to leverage large language models (LLMs) to enhance its operations. These models are utilized for reconnaissance, creating social engineering lures, and addressing basic technical inquiries necessary for post-compromise activities and command-and-control (C2) infrastructure setup.
Phishing Campaigns and Malware Delivery
The threat actor has conducted phishing campaigns that involve impersonating legitimate Ukrainian energy organizations to gain unauthorized access to both organizational and personal email accounts. Additionally, they have posed as a Romanian energy company and targeted Romanian and Moldovan entities for reconnaissance purposes.
To facilitate these attacks, the group generates email address lists tailored to specific regions and industries. The attack chains typically feature LLM-generated lures and include Google Drive links that lead to a RAR archive containing the CANFAIL malware. This malware is often disguised with a double extension to appear as a PDF document (*.pdf.js) and is designed to execute a PowerShell script that downloads and runs a memory-only PowerShell dropper while displaying a fake error message to the victim.
Connection to Previous Campaigns
Google has also linked this threat actor to a campaign named PhantomCaptcha, which was previously disclosed by SentinelOne SentinelLABS in October 2025. This campaign targeted organizations involved in Ukraine’s war relief efforts through phishing emails that directed recipients to fraudulent pages containing ClickFix-style instructions to initiate the infection sequence and deliver a WebSocket-based trojan.
As of now, specific details regarding the full scope of the attacks, the number of affected organizations, and the overall impact remain unclear. Ongoing monitoring and analysis will be essential to understand the evolving tactics of this threat actor.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
