A previously unknown threat actor dubbed GreyVibe is using generative AI tools to accelerate cyber operations against Ukraine and organizations linked to its war effort, according to new research from WithSecure[ The group is assessed as Russia-linked and appears to be conducting long-running, intelligence-driven campaigns that fold into Moscow’s wider hybrid warfare strategy against Kyiv.
Investigators at WithSecure describe GreyVibe as a Russian-speaking actor operating largely in the Russian time zone, with tasking and targeting that align with Kremlin state interests. Their operations reportedly focus on Ukraine and entities that support it politically, militarily or economically, including government bodies, defense-related firms and policy organizations in Europe. The tradecraft is consistent with other Russian cyber units active since the full-scale invasion, but GreyVibe’s use of AI stands out as a force multiplier.
According to analysis shared with SecurityWeek, GreyVibe operators rely on generative AI to speed core stages of the intrusion lifecycle, from drafting convincing spear-phishing lures to assisting with malware development and scripting for operations. By offloading tasks such as composing native-sounding messages in multiple languages or iterating on code snippets, the group can increase the volume and agility of its campaigns without a corresponding increase in human operators. Researchers warn that this makes social-engineering emails harder to spot and shortens the time from tasking to executable attack code.
So far, public reporting does not tie GreyVibe to specific software flaws tracked as CVEs, and there are no associated entries in major public resources such as the National Vulnerability Database or CISA’s Known Exploited Vulnerabilities catalog. Instead, the campaigns appear to lean on phishing for initial access and commodity malware delivery, combined with careful victim profiling and operational security. This underscores that AI is being used primarily to optimize existing tradecraft and tooling, rather than to exploit novel vulnerabilities, making traditional email and endpoint defenses a critical line of protection.
The emergence of GreyVibe comes as Ukrainian officials and researchers warn that Russia is increasingly experimenting with AI across both cyber and kinetic battlefields. Ukraine’s military intelligence has previously accused Russian forces of deploying AI-assisted malware and automation in operations targeting its infrastructure and frontline systems. Those developments fit into a broader pattern in which Russia blends cyber sabotage, espionage and information operations as part of its war against Ukraine, with AI now added to the toolkit.
Defenders in Ukraine and allied countries are being urged to assume that Russia-linked actors can now rapidly customize phishing content and malware at scale, and to tune controls accordingly. Security teams are advised to reinforce phishing-resistant authentication, strengthen email filtering and sandboxing, and deploy endpoint detection tuned to behavioral anomalies rather than static signatures, given the speed at which AI-assisted attackers can mutate content. Organizations supporting Ukraine’s government or defense sector are also being encouraged to share indicators with national CERTs and trusted partners, on the assumption that GreyVibe and similar actors will continue to iterate on AI-enabled tactics in the months ahead.
