A previously undocumented attacker is believed to have targeted organizations in Ukraine using malware known as CANFAIL.
The Google Threat Intelligence Group (GTIG) said the hacking group may have ties to Russian intelligence services. The attacker is assessed to be targeting defense, military, government, and energy organizations within local and central governments in Ukraine.
However, GTIG added that the group is also increasingly interested in aerospace agencies, military and drone manufacturing companies, nuclear and chemical research institutes, and international organizations involved in conflict monitoring and humanitarian assistance in Ukraine.
“Despite being less sophisticated and resourceful than other Russian threat groups, this actor has recently begun to use LLM to overcome some technical limitations.” [large language models]” said GTIG.
“Through prompts, they conduct reconnaissance, create social engineering lures, and look for answers to basic technical questions about post-compromise activities and C2 infrastructure setup.”
Recent phishing campaigns have seen attackers impersonate legitimate Ukrainian national and local energy organizations to gain unauthorized access to organizational and personal email accounts.
The group is said to have targeted Romanian companies and spied on organizations in Moldova, as well as posing as a Romanian energy company doing business with customers in Ukraine.
To enable their operations, attackers use research to generate email address lists tailored to specific regions or industries. The attack chain appears to include an LLM-generated decoy with an embedded Google Drive link pointing to a RAR archive containing the CANFAIL malware.
CANFAIL is typically obfuscated JavaScript malware disguised with a double extension to disguise itself as a PDF document (*.pdf.js) and designed to run a PowerShell script that downloads and executes a memory-only PowerShell dropper. At the same time, it displays a fake “error” message to the victim.
According to Google, this attacker is also associated with a campaign known as PhantomCaptcha revealed by SentinelOne SentinelLABS in October 2025 that targeted organizations associated with war relief efforts in Ukraine through phishing emails that directed recipients to a fake page hosting ClickFix-style instructions to activate an infection sequence and deliver a WebSocket-based Trojan.
Source link
