CANFAIL phishing campaign impersonating Ukrainian energy organizations
Campaign
Summary
Hide ▲
Show ▼
A previously undocumented threat actor is running a CANFAIL phishing campaign that impersonates Ukrainian energy organizations to gain unauthorized access to email accounts. The operation expands risk to defense, military, government, energy, and related organizations in Ukraine and nearby regions. It uses LLM-generated lures, Google Drive links, and a RAR archive to deliver malware.
Related Happenings
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...
Silver Dragon assessed within the APT41 umbrella
Threat Actor Meta
First: 04.03.2026 10:14
Last: 04.03.2026 10:14
Sources 1
About this happening:
**Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
Silver Dragon assessed within the APT41 umbrella
Threat Actor MetaAbout this happening: **Silver Dragon** is now assessed to operate within the **APT41 umbrella**, sharpening attribution for a cluster active against **Europe**, **Southeast Asia**, and **government en...
CANFAIL phishing-delivered PowerShell dropper chain
Malware Activity
First: 13.02.2026 19:27
Last: 13.02.2026 19:27
Sources 1
How related:
CANFAIL is an obfuscated JavaScript malware that's designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper.
About this happening:
The **CANFAIL** malware chain is being delivered through **phishing** lures and disguised attachments, creating a path to **PowerShell-based** execution and a fake error screen th...
CANFAIL phishing-delivered PowerShell dropper chain
Malware ActivityHow related: CANFAIL is an obfuscated JavaScript malware that's designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper.
About this happening: The **CANFAIL** malware chain is being delivered through **phishing** lures and disguised attachments, creating a path to **PowerShell-based** execution and a fake error screen th...
GTIG maps constant multi-vector targeting of the defense industrial base
Target Trend
First: 13.02.2026 18:23
Last: 13.02.2026 18:23
Sources 1
About this happening:
**GTIG** identified a **state-sponsored, hacktivist, and criminal** targeting pattern against the **defense industrial base (DIB)**, raising **persistent espionage and intrusion r...
GTIG maps constant multi-vector targeting of the defense industrial base
Target TrendAbout this happening: **GTIG** identified a **state-sponsored, hacktivist, and criminal** targeting pattern against the **defense industrial base (DIB)**, raising **persistent espionage and intrusion r...
UNC1069 GhostCall cryptocurrency social-engineering campaign
Campaign
First: 11.02.2026 08:50
Last: 11.02.2026 08:50
Sources 1
About this happening:
**UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
UNC1069 GhostCall cryptocurrency social-engineering campaign
CampaignAbout this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
Timeline
-
13.02.2026 19:27 2 articles · 3mo ago
GTIG discloses CANFAIL phishing campaign against Ukrainian energy organizations
Initial DisclosureGoogle Threat Intelligence Group attributed a previously undocumented threat actor to CANFAIL phishing against Ukrainian organizations, including impersonation of legitimate national and local Ukrainian energy organizations to gain unauthorized access to organizational and personal email accounts. GTIG assessed possible links to Russian intelligence services and said the same group also targeted defense, military, government, and energy entities in Ukraine while using LLM-generated lures, Google Drive links to a RAR archive, and malware disguised as *.pdf.js.
Show sources
- Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs — thehackernews.com — 13.02.2026 19:27
- Google Ties Suspected Russian Actor to CANFAIL Malware Attacks on Ukrainian Orgs — thehackernews.com — 13.02.2026 19:27