Meet GREYVIBE, the Russia-Linked Hacking Group Using AI to Target Ukraine and Still Making Rookie Mistakes
GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been tracking a previously unknown Russian-linked APT group called GREYVIBE since at least August 2025. The group targets Ukraine and Ukrainian-related organizations across military, government, civilian, […]
Security firm WithSecure has been tracking a previously unknown Russian-linked APT group called GREYVIBE since at least August 2025. The group targets Ukraine and Ukrainian-related organizations across military, government, civilian, and business sectors. According to the experts, the APT group is not particularly sophisticated, but it’s persistent, and it’s using AI to compensate for skill gaps. However, the researchers state that the group keeps making mistakes that give them a clear look inside.
“The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims. The observed victimology includes military, government, civilian, and business-related entities.” reads the report published by WithSecure. “Across these campaigns, the group has relied on custom developed obfuscators, loaders, and malware. WithSecure additionally identified several associated activity and related campaigns that shared varying degrees of overlap with the group’s tooling, infrastructure, and tradecraft.”
Related breach coverage
- Ghostwriter group resumes attacks on Ukrainian Government targets2026-05-15
ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attributed to the APT group FrostyNeighbor, aka Ghostwriter, active since at least March 2026, targeting Ukrainian governmental organizations. The campaign is similar to previous FrostyNeighbor’s campaigns. The threat […]
- Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets2026-05-23
Ghostwriter targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads. The Belarus-nexus APT group Ghostwriter (also tracked as UAC-0057 and UNC1151) has resurfaced with a new phishing campaign targeting Ukrainian government organizations. This time the lure is Prometheus, a legitimate Ukrainian online learning platform that many government employees actually use. Using […]
- Russian APT Turla builds long-term access tool with Kazuar Botnet evolution2026-05-16
Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems. Microsoft researchers say the malware allows attackers to maintain long-term control while making detection […]
- Russia’s FSB Says Foreign Spies Infected Officials’ Phones With Malware2026-06-03
Russia’s FSB claims foreign intelligence planted malware on senior officials’ phones to intercept calls and activate cameras. No technical evidence, no country named. On June 2, 2026, Russia’s Federal Security Service (FSB) published a statement claiming it had uncovered and documented a large-scale foreign intelligence operation targeting the mobile devices of senior Russian officials. The […]