A previously undocumented threat actor has been linked to a series of cyberattacks targeting Ukrainian organizations using malware known as CANFAIL.
Google’s Threat Intelligence Group (GTIG) believes that the group is likely affiliated with Russian intelligence services with primary focus on defense, military, government, and energy entities at both regional and national levels in Ukraine. In recent months, however, the actor has expanded its targeting to include aerospace organizations, manufacturing firms with military and drone connections, nuclear and chemical research institutions, and international organizations involved in conflict monitoring and humanitarian aid efforts in Ukraine.
GTIG says that the group is less sophisticated and less resourced than other Russian threat actors and is using large language models (LLMs) to make up for the lack of technical skills. The hackers use AI to create phishing lures and refine attack chains.
In the most recent campaigns, the attackers impersonated legitimate Ukrainian national and local energy providers to gain unauthorized access to organizational and personal email accounts. The threat actor has also posed as a Romanian energy company serving Ukrainian customers, targeted a Romanian firm directly, and conducted reconnaissance activities against organizations in Moldova.
Victims receive phishing emails containing Google Drive links that lead to a RAR archive embedding the CANFAIL JavaScript malware. The malicious payload is typically disguised with a double file extension, such as “.pdf.js,” to appear as a harmless PDF document.
Once executed, CANFAIL launches a PowerShell script that downloads and runs a memory-only PowerShell dropper. The malware displays a fake error message to the victim to mask the infection process.
GTIG also linked the threat actor to a campaign dubbed PhantomCaptcha, previously disclosed by SentinelOne SentinelLABS in October 2025. The campaign targeted organizations supporting Ukraine’s war relief efforts through phishing emails directing recipients to fake pages with ClickFix-style instructions, resulting in a WebSocket-based trojan infection.