![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiesoKhsaUAZZj0bK1IJ7xmSmGHegLjyAfbLfxf6rngoAh3HKgRNVk_XxSGjwDPM-6nz_7bueRxN_icdflQ6bdwUptCiekeAMN67s-Ygdp6Ryk0S60X-gDQF_ZKADRxgLl7slbZKvHPSElrANxp23lKUwtselRObvGhmo_CMOqDXnF1B31y61LXkX6AB_fS/s1600/russian-hackers.jpg\")
A new threat actor has emerged, targeting Ukrainian organizations with a malware named CANFAIL.
Google Threat Intelligence Group (GTIG) has linked this group to possible Russian intelligence service connections. They have been focusing on defense, military, government, and energy organizations within the Ukrainian regional and national governments.
In addition to these targets, the group has shown interest in aerospace organizations, manufacturing companies with military and drone affiliations, nuclear and chemical research institutions, as well as international organizations involved in conflict monitoring and humanitarian aid efforts in Ukraine, according to GTIG.
GTIG stated, \”Despite facing technical limitations, this actor has started using LLMs [large language models] to enhance their operations.\”
\”They use these models for reconnaissance, social engineering lures, and setting up post-compromise activities and command-and-control infrastructure,\” GTIG explained.
Recent phishing attempts by the threat actor involve impersonating legitimate national and local Ukrainian energy organizations to gain unauthorized access to email accounts.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSu4ewPNyJbetUzzRhzpPIUIhGjleq3lSMJj69ZV-AI9Gp7TQZRBAj5nGzI_1nVIDqU_T70rcvP6r-bDOSQVZh87l8el-aU6BZtLJzaNtS7tku3fYouiGQ6TpODIOe_W-aBDsC3C0-ZOtVlASTCpJ0NlG8rPA5BP_26R0L20YQtpe0XDzacUWXdIGldklr/s1600/unc.png\")
The group has also posed as a Romanian energy company working with Ukrainian customers, targeted a Romanian firm, and conducted reconnaissance on Moldovan organizations.
To facilitate their attacks, the threat actor creates customized email lists based on their research of specific regions and industries. Their attack strategies include LLM-generated lures and Google Drive links leading to a RAR archive containing CANFAIL malware.
CANFAIL, disguised as a double extension PDF document (*.pdf.js), is an obfuscated JavaScript malware that executes a PowerShell script to download and run a memory-only PowerShell dropper while displaying a fake error message to the victim.
Google also mentioned the threat actor’s involvement in a campaign named PhantomCaptcha, revealed by SentinelOne SentinelLABS in October 2025. This campaign targeted organizations supporting Ukraine’s war relief efforts through phishing emails directing recipients to fake pages with instructions to activate a WebSocket-based trojan.
