GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
Summary
Hide ▲
Show ▼
GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian, and business targets. The operation has been active since at least August 2025 and uses multiple lure-and-delivery chains to push phishing, malware, and credential-theft workflows. Researchers linked the activity to a likely Russian-aligned operator set, though the group’s exact state affiliation remains unconfirmed.
Related Happenings
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor Meta
H score26
First: 07.07.2026 17:00
Last: 07.07.2026 17:00
Sources 1
About this happening:
**Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Scattered Spider reclassified as a decentralized collective of independent clusters
Threat Actor MetaAbout this happening: **Scattered Spider** has been reclassified as a **decentralized cybercrime collective**, changing how its persistence and resilience are understood. The shift suggests **independe...
Phantom squatting AI-hallucinated domain phishing campaign
Campaign
H score35
First: 01.07.2026 10:20
Last: 01.07.2026 10:20
Sources 1
About this happening:
A **phantom squatting** campaign is turning **AI-hallucinated domains** into live phishing and malware lures, putting **AI-referred traffic** at immediate risk. Attackers are regi...
Phantom squatting AI-hallucinated domain phishing campaign
CampaignAbout this happening: A **phantom squatting** campaign is turning **AI-hallucinated domains** into live phishing and malware lures, putting **AI-referred traffic** at immediate risk. Attackers are regi...
Russian intelligence Signal recovery-key phishing campaign
Campaign
H score29
First: 29.06.2026 11:15
Last: 29.06.2026 11:15
Sources 1
About this happening:
An active **Russian intelligence** phishing campaign is impersonating **Signal** support to steal **Backup Recovery Keys**, **verification codes**, and **account PINs**, putting *...
Russian intelligence Signal recovery-key phishing campaign
CampaignAbout this happening: An active **Russian intelligence** phishing campaign is impersonating **Signal** support to steal **Backup Recovery Keys**, **verification codes**, and **account PINs**, putting *...
Russian intelligence services fake support SMS messaging-account phishing campaign
Campaign
H score29
First: 27.06.2026 20:27
Last: 27.06.2026 20:27
Sources 1
About this happening:
A **long-running phishing campaign** by **Russian intelligence services** is stealing **messaging-account credentials** from officials, military personnel, politicians, and activi...
Russian intelligence services fake support SMS messaging-account phishing campaign
CampaignAbout this happening: A **long-running phishing campaign** by **Russian intelligence services** is stealing **messaging-account credentials** from officials, military personnel, politicians, and activi...
OYSTERBLUES information-stealer delivery via spear-phishing
Malware Activity
H score27
First: 27.06.2026 20:27
Last: 27.06.2026 20:27
Sources 1
About this happening:
The **OYSTERBLUES** malware activity used **compromised accounts** and **spear-phishing** to reach **government organizations**, increasing the risk of credential theft and follow...
OYSTERBLUES information-stealer delivery via spear-phishing
Malware ActivityAbout this happening: The **OYSTERBLUES** malware activity used **compromised accounts** and **spear-phishing** to reach **government organizations**, increasing the risk of credential theft and follow...
Timeline
-
28.05.2026 03:00 3 articles · 1mo ago
WithSecure links GreyVibe to an AI-assisted cyberespionage campaign against Ukraine-linked organizations
Initial DisclosureWithSecure identified GreyVibe as a likely Russian threat group conducting cyberespionage against Ukrainian or Ukraine-related organizations, with activity active since at least August 2025 and discovered in January 2026. The operation used AI-generated lures and multiple custom tools to support spear-phishing, fake CAPTCHA/ClickFix pages, fake websites, and malware delivery across military, government, civilian, and business targets.
Show sources
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31