A new, previously unknown threat actor is reportedly behind attacks using CANFAIL malware against Ukrainian organizations.
Google Threat Intelligence Group (GTIG) suggests this hacking group may be connected to Russian intelligence services. The actor has reportedly targeted Ukrainian regional and national defense, military, government, and energy sectors.
The group has also shown increasing interest in aerospace organizations, manufacturing firms with military and drone connections, nuclear and chemical research entities, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, according to GTIG.
GTIG noted that while this actor is less sophisticated than other Russian threat groups, it has recently started overcoming technical limitations by utilizing LLMs [large language models].
Through LLM prompting, the group performs reconnaissance, crafts social engineering lures, and seeks answers to basic technical questions for post-compromise activities and C2 infrastructure setup.
Recent phishing campaigns have involved the threat actor impersonating legitimate Ukrainian energy organizations to gain unauthorized access to email accounts.
The group has also posed as a Romanian energy company working with Ukrainian clients, and has targeted a Romanian firm while conducting reconnaissance on Moldovan organizations.
To support these operations, the threat actor generates email lists specific to targeted regions and industries. Attack chains often feature LLM-generated lures and Google Drive links leading to RAR archives containing CANFAIL malware.
CANFAIL malware, often disguised with a double extension like *.pdf.js, is an obfuscated JavaScript program. It executes a PowerShell script that downloads and runs a memory-only PowerShell dropper, while simultaneously displaying a fake error message to the victim.
Google also links this threat actor to the PhantomCaptcha campaign, which SentinelOne SentinelLABS revealed in October 2025. This campaign targeted organizations involved in Ukraine’s war relief efforts through phishing emails, directing recipients to fake pages with ClickFix-style instructions to initiate infection and deliver a WebSocket-based trojan.
