New Russia-Linked Cyber Group GREYVIBE Targets Ukraine with AI-Powered Attacks
A newly identified Russia-linked cyber group, known as GREYVIBE, has been active since at least August 2025. The group focuses on targets in Ukraine, deploying a mix of custom malware and AI tools to carry out attacks. Despite its ties to Russian state interests, its operations often reveal signs of inexperience.
GREYVIBE’s activities align with broader Russian strategic goals, though its exact connection to the state remains unconfirmed. Researchers note that while the group’s objectives mirror official interests, its execution lacks the polish of more established threat actors.
The group operates with five distinct attack chains, each featuring unique lures and payloads. Methods include spear-phishing emails, fake CAPTCHA pages, and spoofed websites designed to trick victims into downloading malware. To compensate for technical shortcomings, GREYVIBE relies on AI-generated content—yet this approach has sometimes backfired, exposing flaws in its malware and operational artifacts. Links between GREYVIBE and the wider cybercrime scene have also emerged. The group shares connections with TrickBot, a notorious malware operation, as well as UAC-0098, another Russia-aligned hacking collective. These ties suggest collaboration or shared resources within the underground ecosystem.
GREYVIBE continues to refine its tactics, blending AI assistance with traditional cyberattack methods. Its focus on Ukrainian targets remains consistent, though operational mistakes highlight gaps in expertise. The group’s evolution will likely depend on how effectively it addresses these weaknesses while maintaining its current alliances.
