Previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware Canfel.
The Google Threat Intelligence Group (GTIG) described the hack group as possibly being affiliated with Russian intelligence services. The threat actor is estimated to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments.
However, the group has demonstrated increasing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian assistance in Ukraine, GTIG said.
“Despite being less sophisticated and resourceful than other Russian threat groups, this actor has recently begun to overcome some technical limitations by using LLM [large language models]” GTIG said.
“Through signaling, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions leading to post-compromise activity and the establishment of C2 infrastructure.”
Recent phishing campaigns have involved threat actors impersonating legitimate national and local Ukrainian energy organizations to gain unauthorized access to organizational and personal email accounts.
The group is also said to have impersonated a Romanian energy company that works with clients in Ukraine in addition to targeting a Romanian firm and conducting reconnaissance on Moldovan organizations.
To enable their operations, the threat actor creates email address lists tailored to specific sectors and industries based on their research. The attack chains include LLM-generated lures and embedded Google Drive links that point to a RAR archive containing the CANFAIL malware.
Typically disguised with a double extension to pass as a PDF document (*.pdf.js), CANFAIL is an obfuscated JavaScript malware designed to execute a PowerShell script, which, in turn, downloads and executes a memory-only PowerShell dropper. In parallel, it displays a fake “error” message to the victim.
Google said the threat actor is also linked to a campaign called PhantomCAPTCHA, which was disclosed by SentinelOne SentinelLabs in October 2025 as targeting organizations associated with Ukraine’s war relief efforts via phishing emails that direct recipients to fake pages hosting ClickFix-style instructions to activate the infection sequence and deliver the WebSocket-based Trojan.
