A Google Threat Intelligence Group report identifies a previously undocumented Russia-linked APT group conducting phishing campaigns to deliver CANFAIL malware against Ukrainian defence, government and energy entities at regional and national levels. According to Google Threat Intelligence Group, the actor, possibly linked to Russian intelligence services, has targeted defence, military, government and energy entities in Ukraine and has even probed Romanian and Moldovan organisations.
The operation relies on phishing emails with Google Drive links hosting a RAR archive containing CANFAIL, often disguised with a .pdf[.]js double extension, and the CANFAIL payload is obfuscated JavaScript that runs a PowerShell script to download and execute a second-stage, typically a memory-only dropper, while showing a fake error popup. GTIG notes that the group uses LLMs to craft lures, perform reconnaissance, and assist post‑compromise activities and C2 infrastructure setup.
Russian espionage groups, including named entities in the report, have continued to target Ukrainian and Western defence-related organisations using military- and drone-themed decoys.