New research exposes GREYVIBE – a persistent, AI-powered Russia-nexus group targeting military, government, and business entities across Ukraine and Europe since mid-2025.
Helsinki, Finland – May 28, 2026: WithSecure, Europe’s trusted cybersecurity partner, today published new threat intelligence revealing a previously undocumented Russia-nexus threat group, tracked as GREYVIBE. Active since at least August 2025, the group has conducted persistent operations targeting military personnel, government bodies, and businesses across Ukraine, with additional targeting of European organisations. GREYVIBE’s activities align with Russian state intelligence-gathering objectives in the context of the ongoing Russia–Ukraine war.
The research documents GREYVIBE’s systematic use of generative AI (GenAI) and large language models (LLMs) across every phase of their operations – from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling. WithSecure also identified indicators placing the group at the intersection of state-aligned activity and the broader cybercrime ecosystem.
The findings carry direct relevance for organisations across Europe. AI is lowering the barrier to entry for espionage-grade operations – groups that would previously have lacked the capability to develop custom malware and mount sustained campaigns can now do so with AI assistance. The threshold for targeting has dropped, and mid-market organisations that may have considered themselves below the radar of nation-state activity should take note.
AI as an attack accelerator
Evidence points to the use of multiple AI platforms – including ChatGPT, Google Gemini, and image generation tools – to produce lure sites, develop custom remote access trojans, build obfuscation frameworks, and generate post-compromise scripts. The breadth and consistency of usage suggests deliberate integration into the group’s operational workflow, not ad-hoc experimentation. Crucially, design flaws in LLM-assisted malware allowed WithSecure to monitor GREYVIBE’s activity across victim machines for several months – providing rare, sustained visibility into the group’s targeting and behaviour.
“What sets GREYVIBE apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to punch above its weight – accelerating development, filling capability gaps, and generating a largely fresh operational profile that complicates tracking and attribution. It’s a preview of how lower-sophistication actors will increasingly operate”, says Mohammad Kazem Hassan Nejad, Senior Threat Intelligence Researcher, WithSecure
Key findings
- Persistent targeting of Ukrainian military, government, civilian, and business entities since August 2025.
- Systematic AI use across lure creation, malware development, infrastructure setup, and post-compromise tooling – integrated throughout operations, not used in isolation.
- Multiple attack vectors, including spear-phishing emails, fake CAPTCHA pages, and social engineering via Telegram using fake female personas.
- Custom malware suite including two generations of a PowerShell-based RAT (PhantomRelay), Android spyware (FallSpy), and a secondary RAT (LegionRelay) – all assessed to have been developed with LLM assistance.
- High-confidence attribution to Russian-speaking operators in the Moscow time zone, with targeting and objectives aligned with Russian state interests.
- Indicators of ties to the cybercrime ecosystem, with possible proximity to tooling linked to the former TrickBot syndicate.
- Repeated operational security failures suggest a low-to-moderately sophisticated group – a reminder that less capable actors can still pose meaningful threats.
