New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

WithSecure researchers have identified a previously unknown Russian-linked threat actor tracked as GREYVIBE conducting sustained cyberattacks against Ukraine and Ukrainian entities since August 2025.

The threat group operates during Russian business hours and uses tactics consistent with state-sponsored objectives aligned to Kremlin interests. WithSecure assesses GREYVIBE as Russian-speaking based on operational patterns and infrastructure analysis.

The attacks leverage artificial intelligence capabilities to enhance targeting precision and attack effectiveness. This marks a notable shift in Ukrainian targeting, where adversaries increasingly integrate machine learning and automation into reconnaissance and exploitation workflows.

GREYVIBE's campaign demonstrates persistent focus on Ukraine-related infrastructure and government entities. The group deploys AI-powered capabilities to identify and exploit vulnerabilities at scale, reducing manual effort required for largescale reconnaissance operations.

Attribution to Russian state interests stems from operational timing aligned with Moscow's geopolitical objectives, infrastructure hosting patterns, and tactical consistency with known Russian cyber operations. The sustained campaign nature indicates long-term strategic interest rather than opportunistic intrusions.

Organizations in Ukraine and those supporting Ukrainian operations face elevated risk. GREYVIBE's use of AI-enhanced targeting means defenders cannot rely solely on legacy detection methods. The group likely conducts continuous vulnerability scanning and automated payload delivery against identified weaknesses.

Entities operating in critical infrastructure, energy, government communications, and military support sectors should prioritize network segmentation and behavioral analytics. Traditional signature-based detection will miss AI-optimized attack chains that adapt based on environmental reconnaissance.

WithSecure has not disclosed specific CVEs exploited by GREYVIBE in public advisories, though the group's capability maturity suggests targeting of both known and zero-day vulnerabilities. Organizations should implement continuous threat hunting and assume compromise of unpatched systems.

The emergence of AI-enhanced state-sponsored attacks targeting Ukraine reflects broader trends in modern cyber warfare. Defenders must shift from reactive pat