A new threat cluster has surfaced in the Russia-Ukraine conflict. It blends custom malware with heavy reliance on public AI tools. Researchers at WithSecure tracked the activity under the name GREYVIBE. Operations began at least in August 2025 and continue today. The group focuses on Ukrainian military, government, civilian, and business targets. Lures and post-compromise actions point to intelligence collection tied to the ongoing war. Russian-speaking operators appear active in the Moscow time zone. Ties to the broader cybercrime scene complicate clean attribution. WithSecure published its findings on May 28, 2026. The report details multiple campaigns and a small family of custom tools. AI assistance shows up across lure creation, code development, and command generation. WithSecure Labs report . GREYVIBE runs several distinct infection chains. PhantomMail relies on spear-phishing emails. Victims receive links to ZIP or RAR archives hosted on Google Drive or 4sync.…