{"id":11634,"date":"2026-05-28T10:04:44","date_gmt":"2026-05-28T09:04:44","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/press-releases\/withsecure-uncovers-russia-nexus-threat-group-using-ai-to-target-ukraine-and-european-organisations\/"},"modified":"2026-06-02T11:32:46","modified_gmt":"2026-06-02T10:32:46","slug":"withsecure-uncovers-russia-nexus-threat-group-using-ai-to-target-ukraine-and-european-organisations","status":"publish","type":"pressroom","link":"https:\/\/www.withsecure.com\/jp-ja\/resources-hub\/press-releases\/withsecure-uncovers-russia-nexus-threat-group-using-ai-to-target-ukraine-and-european-organisations\/","title":{"rendered":"WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations"},"content":{"rendered":"\n
\n
\n

\n WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/span><\/h1>
\n
\n \n \n AI <\/span>\n \n Research <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 28 5\u6708, 2026 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n \u30b7\u30a7\u30a2\u3059\u308b <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n WithSecure media relations <\/p>\n \n

\n
\n

\n WithSecure PR <\/p>\n \n

\n

\n
\n

\n Share this <\/p>\n

\n \n \n
\n
\n

New research exposes GREYVIBE \u2013 a persistent, AI-powered Russia-nexus group targeting military, government, and business entities across Ukraine and Europe since mid-2025.<\/em><\/p>\n

Helsinki, Finland \u2013 May 28, 2026:<\/b>\u00a0WithSecure, Europe\u2019s trusted cybersecurity partner, today published new threat intelligence revealing a previously undocumented Russia-nexus threat group, tracked as GREYVIBE. Active since at least August 2025, the group has conducted persistent operations targeting military personnel, government bodies, and businesses across Ukraine, with additional targeting of European organisations. GREYVIBE\u2019s activities align with Russian state intelligence-gathering objectives in the context of the ongoing Russia\u2013Ukraine war.<\/p>\n

The research documents GREYVIBE\u2019s systematic use of generative AI (GenAI) and large language models (LLMs) across every phase of their operations \u2013 from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling. WithSecure also identified indicators placing the group at the intersection of state-aligned activity and the broader cybercrime ecosystem.<\/p>\n

The findings carry direct relevance for organisations across Europe. AI is lowering the barrier to entry for espionage-grade operations \u2013 groups that would previously have lacked the capability to develop custom malware and mount sustained campaigns can now do so with AI assistance. The threshold for targeting has dropped, and mid-market organisations that may have considered themselves below the radar of nation-state activity should take note.<\/p>\n

AI as an attack accelerator<\/h3>\n

Evidence points to the use of multiple AI platforms \u2013 including ChatGPT, Google Gemini, and image generation tools \u2013 to produce lure sites, develop custom remote access trojans, build obfuscation frameworks, and generate post-compromise scripts. The breadth and consistency of usage suggests deliberate integration into the group\u2019s operational workflow, not ad-hoc experimentation. Crucially, design flaws in LLM-assisted malware allowed WithSecure to monitor GREYVIBE\u2019s activity across victim machines for several months \u2013 providing rare, sustained visibility into the group\u2019s targeting and behaviour.<\/p>\n

\u201cWhat sets GREYVIBE apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to punch above its weight \u2013 accelerating development, filling capability gaps, and generating a largely fresh operational profile that complicates tracking and attribution. It\u2019s a preview of how lower-sophistication actors will increasingly operate\u201d, says Mohammad Kazem Hassan Nejad<\/b>, Senior Threat Intelligence Researcher, WithSecure<\/p>\n

Key findings<\/h3>\n