When Attackers Wield AI: Inside a Russian-Nexus Group Reshaping the Threat Landscape Across Europe
A set of AI-powered cyberattack campaigns are already underway across Europe. We’re calling the group behind them GREYVIBE – a Russian-nexus threat group that’s been active since August 2025, hitting targets in Ukraine and further into Europe.
What makes GREYVIBE different from the threat groups you’ve read about before? Systematic use of generative AI (GenAI) and large language models (LLMs) across every phase of their operations. Evidence points to the use of multiple AI platforms – including ChatGPT, Google Gemini, and image generation tools – to produce lure sites, develop custom remote access trojans, build obfuscation frameworks, and generate post-compromise scripts.
Generative AI has lowered the bar for espionage-grade attacks. Groups that couldn’t write their own malware a year ago can now ship a working RAT in days – and they’re no longer only chasing Fortune 500s or government ministries. Mid-market companies across Europe are squarely in scope.
WithSecure’s threat intelligence team has spent months tracking GREYVIBE, reverse-engineering their malware, and mapping how they actually use AI in the wild. What we found applies to every European organisation trying to figure out what AI-enabled adversaries look like in practice.
Related Labs content
Find related content relating to this topic.
W/Labs
DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT
Source: https://labs.withsecure.com/publications/darkgate-rises
W/Labs
Reverse engineering a Lumma infection
Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.
W/Labs
Machine learning-driven malware analysis
With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever