HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Russian‑Linked GREYVIBE APT Uses AI‑Assisted Malware to Target Ukrainian Military, Government and Business Sectors

GREYVIBE, a Russia‑linked APT active since 2025, employs AI‑enhanced malware across five attack chains to infiltrate Ukrainian military, government and private‑sector networks. The campaign leverages spear‑phishing, fake CAPTCHA pages, counterfeit adult‑club sites, charitable‑foundation fronts and spoofed military login screens, raising supply‑chain risk for any third‑party with Ukrainian ties.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Russian‑Linked GREYVIBE APT Uses AI‑Assisted Malware to Target Ukrainian Military, Government and Business Sectors

What Happened — The GREYVIBE group, linked to Russian actors and active since 2025, has deployed AI‑enhanced malware through five distinct attack chains that rely on spear‑phishing, fake CAPTCHA pages, counterfeit adult‑club sites, charitable‑foundation fronts, and spoofed military login screens. Victims span Ukrainian military, government, civilian agencies and private enterprises.

Why It Matters for TPRM

  • AI‑driven toolsets lower the skill barrier, increasing the likelihood of successful compromises against third‑party vendors that support Ukrainian clients.
  • The group’s multi‑vector approach (email, web lures, VPN installers) can bypass traditional perimeter controls, exposing supply‑chain partners to data theft or espionage.
  • Persistent activity since 2025 indicates a long‑term campaign; any organization with Ukrainian ties should reassess its threat model.

Who Is Affected — Government, Military, Civilian agencies, and private businesses operating in or with Ukraine.

Recommended Actions

  • Review and harden email security (DMARC, anti‑phishing training, sandboxing of attachments).
  • Block known malicious domains and IPs associated with GREYVIBE’s infrastructure.
  • Conduct threat‑intel‑driven monitoring of third‑party vendors that handle Ukrainian data or provide services to Ukrainian entities.
  • Validate that endpoint detection and response (EDR) solutions can detect AI‑obfuscated loaders and PowerShell‑based RATs.

Technical Notes

  • Attack vectors: spear‑phishing (malicious Google Drive/4sync links), fake CAPTCHA pages, counterfeit adult‑club sites, charitable‑foundation download pages, spoofed military login screens.
  • Malware families: PhantomRelay (PowerShell RAT), FallSpy (Android spyware), LegionRelay (lightweight RAT), custom obfuscators and loaders.
  • AI is used to generate polymorphic code and to automate credential‑harvesting scripts, complicating static detection.

Source: SecurityAffairs – Meet GREYVIBE, the Russia‑Linked Hacking Group Using AI to Target Ukraine

📰 Original Source
https://securityaffairs.com/192877/apt/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-rookie-mistakes.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →