A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors. The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests, although researchers cannot confidently classify it as a nation-state operation. Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations. The link to a Russian-speaking threat actor is supported by the language for the malware panels, comments in code artifacts, and command-and-control (C2) server time configured to UTC+3 (Moscow time). According to the researchers, GreyVibe has used several attack chains against its targets, including: The diversity and quality of these lures are notable, and WithSecure says this is the result of using multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and realistic content to support them. The use of AI extends to the creation of tools as well, with the researchers mentioning LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all custom obfuscators that were likely developed with LLM assistance. A PowerShell-based remote access trojan named LegionRelay was also likely developed with assistance from AI tools, the researchers say.