"Google Threat Intelligence Group (GTIG) described the hack group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments. However, the group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, GTIG added."
"To enable its operations, the threat actor generates email address lists tailored to specific regions and industries based on their research. The attack chains seemingly contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware. Typically disguised with a double extension to pass off as a PDF document (*.pdf.js), CANFAIL is an obfuscated JavaScript malware that's designed to execute a PowerShell script that, in"
A previously undocumented threat actor uses CANFAIL malware to target defense, military, government, and energy organizations in Ukraine. The actor is possibly affiliated with Russian intelligence services and has expanded interest to aerospace, manufacturing with military and drone ties, nuclear and chemical research, and international organizations involved in conflict monitoring and humanitarian aid. The actor employs phishing campaigns that impersonate Ukrainian and regional energy companies, using tailored email lists and LLM-generated lures. Attack chains embed Google Drive links to RAR archives hosting CANFAIL, typically disguised with double extensions (*.pdf.js). CANFAIL is obfuscated JavaScript designed to execute a PowerShell script for post-compromise activity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]