Google Links Russian Actor to CANFAIL Malware Attacks on Ukrainian Organizations
Previously Unknown Threat Actor Linked to Malware Attacks in Ukraine
A previously unknown threat actor, suspected of ties to Russian intelligence services, has been linked to a series of malware attacks targeting Ukrainian organizations. The attacks, which involve the use of CANFAIL malware, have been attributed to a group that has been active in targeting defense, military, government, and energy organizations within Ukraine.
Targeted Sectors and Tactics
According to researchers at Google Threat Intelligence Group (GTIG), the threat actor has also shown interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine.
Phishing Campaigns and Malware
The threat actor’s tactics, techniques, and procedures (TTPs) involve phishing campaigns that impersonate legitimate Ukrainian energy organizations to obtain unauthorized access to organizational and personal accounts. The group has also masqueraded as a Romanian energy company that works with customers in Ukraine, and has targeted a Romanian firm and conducted reconnaissance on Moldovan organizations.
To facilitate their operations, the threat actor generates address lists tailored to specific regions and industries based on their research. The attack chains typically contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware. The malware, which is disguised with a double extension to pass off as a PDF document, is an obfuscated JavaScript malware designed to execute a PowerShell script.
Link to PhantomCaptcha Campaign
GTIG has also linked the threat actor to a campaign called PhantomCaptcha, which was disclosed by SentinelOne SentinelLABS in October 2025. This campaign targeted organizations associated with Ukraine’s war relief efforts through phishing emails that directed recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver a WebSocket-based trojan.
Conclusion
The use of LLMs by the threat actor highlights the evolving nature of cyber threats and the need for organizations to stay vigilant in the face of increasingly sophisticated attacks. As the threat landscape continues to shift, it is essential for organizations to prioritize cybersecurity and implement robust measures to protect against such threats.
About Author
English