Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs

Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs

Ravie LakshmananFeb 13, 2026Threat Intelligence / Malware

A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL.

Google Threat Intelligence Group (GTIG) described the hacking group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments.

However, the group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, GTIG added.

“Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs [large language models],” GTIG said.

“Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup.”

Recent phishing campaigns have involved the threat actor impersonating legitimate national and local Ukrainian energy organizations to obtain unauthorized access to organizational and personal email accounts.

The group is also said to have masqueraded as a Romanian energy company that works with customers in Ukraine, in addition to targeting a Romanian firm and conducting reconnaissance on Moldovan organizations.

To enable its operations, the threat actor generates email address lists tailored to specific regions and industries based on their research. The attack chains seemingly contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware.

Typically disguised with a double extension to pass off as a PDF document (*.pdf.js), CANFAIL is an obfuscated JavaScript malware that’s designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper. In parallel, it displays a fake “error” message to the victim.

Google said the threat actor is also linked to a campaign called PhantomCaptcha that was disclosed by SentinelOne SentinelLABS in October 2025 as targeting organizations associated with Ukraine’s war relief efforts through phishing emails that direct recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver a WebSocket-based trojan.

Similar Posts

  • 2 New Tutorials Added to Single Directory Components Course

    As promised, we’ve added 2 new tutorials to our course, Single Directory Components in Drupal: Props and slots are both mechanisms for passing data and content to UI components. In Understanding Props and Slots in Drupal Single Directory Components, you’ll learn the difference between props and slots in Drupal SDCs, and how to choose the…

  • 10 Best Hostinger Alternative 2025, Sep | Top Competitors

    When it comes to affordable web hosting services, Hostinger is often one of the first names that pops up. It’s budget-friendly, beginner-friendly, and offers a simple platform for individuals starting their online journey.  However, when it comes to handling enterprise-level workloads that need powerful hosting solutions, the question comes, Can Hostinger provide big dedicated solutions?…

  • How to Monitor Brand Mentions in ChatGPT

    Ask ChatGPT “What’s the best (your product category)?” right now. Does your brand come up?  If you don’t know, that’s a problem. ChatGPT influences millions of product decisions every day—and unlike Google, it gives you zero impressions data, no Search Console, and no built-in analytics. In this guide, I’ll show you how to monitor your brand…

  • Taiwan NSB Alerts Public on Data Risks from TikTok, Weibo, and RedNote Over China Ties

    Jul 05, 2025Ravie LakshmananNational Security / Privacy Taiwan’s National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China. The alert comes following an inspection of these apps carried out in coordination with the…