CANFAIL Malware: How a Suspected Russian Threat Actor Is Using AI to Target Ukraine's Critical Infrastructure

GTIG, SentinelOne, and Ukrainian analysts describe a previously undocumented, Russian‑linked threat actor conducting AI-augmented phishing campaigns to deliver CANFAIL (an obfuscated JavaScript that launches memory-only PowerShell droppers), a WebSocket RAT, and Android spyware against Ukrainian defense, energy, and humanitarian organizations; the campaign leverages LLM-generated lures, Google Drive-hosted RARs, double-extension files, ClickFix clipboard/Run social engineering, and compartmentalized Russian-hosted C2 infrastructure.