CANFAIL phishing campaign impersonating Ukrainian energy organizations
Campaign
Summary
Hide ▲
Show ▼
A previously undocumented threat actor is running a CANFAIL phishing campaign that impersonates Ukrainian energy organizations to gain unauthorized access to email accounts. The operation expands risk to defense, military, government, energy, and related organizations in Ukraine and nearby regions. It uses LLM-generated lures, Google Drive links, and a RAR archive to deliver malware.
Related Happenings
Russian intelligence Signal recovery-key phishing campaign
Campaign
H score29
First: 29.06.2026 11:15
Last: 29.06.2026 11:15
Sources 1
About this happening:
An active **Russian intelligence** phishing campaign is impersonating **Signal** support to steal **Backup Recovery Keys**, **verification codes**, and **account PINs**, putting *...
Russian intelligence Signal recovery-key phishing campaign
CampaignAbout this happening: An active **Russian intelligence** phishing campaign is impersonating **Signal** support to steal **Backup Recovery Keys**, **verification codes**, and **account PINs**, putting *...
Russian intelligence services fake support SMS messaging-account phishing campaign
Campaign
H score29
First: 27.06.2026 20:27
Last: 27.06.2026 20:27
Sources 1
About this happening:
A **long-running phishing campaign** by **Russian intelligence services** is stealing **messaging-account credentials** from officials, military personnel, politicians, and activi...
Russian intelligence services fake support SMS messaging-account phishing campaign
CampaignAbout this happening: A **long-running phishing campaign** by **Russian intelligence services** is stealing **messaging-account credentials** from officials, military personnel, politicians, and activi...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
Campaign
H score37
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
CampaignAbout this happening: Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
H score15
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Timeline
-
13.02.2026 19:27 2 articles · 4mo ago
GTIG discloses CANFAIL phishing campaign against Ukrainian energy organizations
Initial DisclosureGoogle Threat Intelligence Group attributed a previously undocumented threat actor to CANFAIL phishing against Ukrainian organizations, including impersonation of legitimate national and local Ukrainian energy organizations to gain unauthorized access to organizational and personal email accounts. GTIG assessed possible links to Russian intelligence services and said the same group also targeted defense, military, government, and energy entities in Ukraine while using LLM-generated lures, Google Drive links to a RAR archive, and malware disguised as *.pdf.js.
Show sources
- Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs — thehackernews.com — 13.02.2026 19:27
- Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs — thehackernews.com — 13.02.2026 19:27