New Russian Malware Campaign Targeting Ukraine
Google Threat Intelligence Group (GTIG) has attributed a previously undocumented malware campaign to a Russian-linked threat actor targeting Ukrainian defense, military, government, energy, and aerospace organizations. The malware, dubbed CANFAIL, uses obfuscated JavaScript payloads disguised as PDF documents to establish persistent access and exfiltrate sensitive data.
Campaign Overview
| Attribute | Details |
|---|---|
| Threat Actor | Previously undocumented Russian-linked group |
| Malware | CANFAIL (obfuscated JavaScript) |
| Attribution | Google Threat Intelligence Group (GTIG) |
| Targets | Ukrainian defense, military, government, energy, aerospace |
| Delivery | Phishing emails with Google Drive links to RAR archives |
| Lure Generation | LLM-generated content in Ukrainian |
| Objective | Espionage, persistent access, data exfiltration |
Attack Chain
[Phishing Email with LLM-Generated Ukrainian Lure]
|
v
[Google Drive Link]
|
v
[RAR Archive Download]
|
v
[*.pdf.js — CANFAIL JavaScript (double extension)]
|
v
[Windows Script Host Execution]
|
v
[PowerShell Cradle — Memory-Only Payload]
|
v
[C2 Beacon + Data Exfiltration]Technical Details
Double-Extension File Trick
CANFAIL files use double extensions to disguise JavaScript as PDFs:
military_procurement_notice_2026.pdf.js
defense_budget_allocation_feb2026.pdf.js
personnel_transfer_orders_UA.pdf.jsWith default Windows settings hiding known file extensions, victims see only the .pdf portion.
LLM-Enhanced Lures
The use of LLM-generated content marks a notable shift. Previous campaigns often contained grammatical errors. These lures are:
- Grammatically correct in Ukrainian
- Contextually accurate to the target organization
- Formatted to match legitimate government document styles
- Personalized with target-specific references
Memory-Only Payload Delivery
CANFAIL triggers PowerShell scripts that download and execute payloads entirely in memory using Invoke-Expression with base64-encoded commands, leaving no artifacts on disk.
Capabilities
- System reconnaissance — Enumerate software, processes, network config, AD membership
- Credential harvesting — Extract stored credentials from browsers and Windows credential manager
- File exfiltration — Search for documents matching military and defense keywords
- Keylogging — Capture keystrokes targeting email, messaging, and VPN applications
- Persistence — Scheduled tasks and registry run keys
Detection Recommendations
- Block double-extension files — Quarantine files with extensions like
.pdf.js,.doc.js - Monitor Windows Script Host — Alert on
wscript.exeexecuting files from download directories - Restrict PowerShell — Enable Constrained Language Mode and Script Block Logging
- Inspect Google Drive links — Deploy CASBs to inspect files downloaded from Google Drive
- Hunt for scheduled task persistence — Review recently created scheduled tasks
Sources
- The Hacker News — Google Ties Russian Actor to CANFAIL Malware
- Security Affairs — Russian Hackers Deploy CANFAIL Against Ukraine