Google Threat Intelligence Group (GTIG) has uncovered a new threat actor possibly affiliated with Russian intelligence services that has been systematically targeting Ukrainian organizations with a sophisticated malware strain known as CANFAIL.
Target Profile
The threat group has focused its operations on high-value targets within Ukraine, including:
- Defense and military organizations
- Government entities (regional and national)
- Energy sector organizations
- Aerospace companies
- Manufacturing firms with military and drone ties
- Nuclear and chemical research facilities
- International humanitarian and conflict monitoring organizations
LLM-Enhanced Capabilities
What makes this actor notable is their recent adoption of large language models (LLMs) to overcome technical limitations. According to GTIG, the group leverages AI prompting to:
- Conduct reconnaissance
- Generate convincing social engineering lures
- Answer technical questions for post-compromise activity
- Set up command-and-control infrastructure
Attack Chain Analysis
Recent phishing campaigns involve the threat actor impersonating legitimate Ukrainian energy companies. The infection chain follows this pattern:
- LLM-generated phishing lures with energy sector themes
- Embedded Google Drive links leading to RAR archives
- CANFAIL malware disguised as PDF documents (*.pdf.js double extension)
- Obfuscated JavaScript execution triggering PowerShell scripts
- Memory-only PowerShell dropper deployment
- Fake “error” message displayed to maintain stealth
Connection to PhantomCaptcha Campaign
Google links this threat actor to the PhantomCaptcha campaign previously disclosed by SentinelOne SentinelLABS in October 2025. That campaign targeted Ukraine war relief organizations using ClickFix-style fake instructions to deliver a WebSocket-based trojan.
Why This Matters
The integration of AI tools into APT operations represents an evolution in threat actor capabilities. Even less sophisticated groups can now rapidly generate convincing lures and overcome technical barriers using LLMs. Organizations with any connection to Ukraine—defense contractors, humanitarian groups, or energy sector companies—should heighten their phishing defenses and monitor for these TTPs.
