Google’s Threat Intelligence Group has attributed attacks against Ukrainian defense, military, government, and energy organizations to a previously undocumented threat actor that deploys the obfuscated JavaScript malware CANFAIL. The group, possibly linked to Russian intelligence, uses LLMs to craft reconnaissance and social‑engineering lures that deliver CANFAIL via spoofed phishing emails and Google Drive links, and is also tied to PhantomCaptcha campaigns. #CANFAIL #PhantomCaptcha
Keypoints
- The newly attributed threat actor has targeted Ukrainian defense, military, government, and energy organizations with CANFAIL.
- Google Threat Intelligence Group assesses the actor may be affiliated with Russian intelligence services.
- The group has expanded interest to aerospace, defense manufacturers, nuclear and chemical research, and humanitarian organizations.
- Operators have begun using LLMs to perform reconnaissance, generate social‑engineering lures, and assist with post‑compromise and C2 setup.
- Phishing campaigns spoof energy organizations and use Google Drive links to RAR archives with double‑extension files that deploy PowerShell-based, memory-only droppers; the actor is also linked to PhantomCaptcha activity.
Read More: https://thehackernews.com/2026/02/google-ties-suspected-russian-actor-to.html