WithSecure has attributed a persistent campaign, active since at least August 2025, to a previously undocumented Russian-speaking threat actor dubbed GREYVIBE. Operating within the Russian time zone and aligning with Kremlin interests, GREYVIBE distinguishes itself through the integration of AI-powered cyberattacks. This represents a significant escalation in the threat landscape targeting Ukraine and Ukraine-aligned entities globally. The use of Artificial Intelligence allows the actor to automate reconnaissance, generate highly convincing context-aware phishing lures, and potentially create polymorphic malware that evades traditional signature-based defenses. For defenders, this means static Indicators of Compromise (IoCs) have a shorter shelf life, and behavioral detection is now paramount.
Technical Analysis
While the full report details ongoing investigation, the core of GREYVIBE's capability lies in leveraging AI to enhance the "Initial Access" and "Execution" phases of the kill chain.
- Attack Vector: The primary vector is suspected to be sophisticated spear-phishing. Unlike standard campaigns, GREYVIBE utilizes Large Language Models (LLMs) to draft emails that are grammatically perfect, contextually relevant to the recipient's role, and culturally localized, significantly increasing the click-through rate.
- Payloads: The actor likely delivers payloads via common document formats (e.g., malicious Microsoft Office documents or PDFs) that exploit vulnerabilities or employ macro-based techniques. The "AI" component suggests the use of obfuscated script generation (PowerShell or Python) that alters its code structure with every iteration to bypass static antivirus detections.
- Exploitation Status: As of May 2026, these attacks are confirmed active in-the-wild. There are no specific CVEs associated with the "AI" aspect itself, as it exploits human trust and standard scripting environments (PowerShell/WScript) rather than a software flaw.
Detection & Response
Detecting AI-enhanced threats requires shifting focus from file hashes to behavioral anomalies. GREYVIBE's reliance on social engineering and script execution provides distinct opportunities for detection via process lineage and command-line analysis.
SIGMA Rules
---
title: GREYVIBE Suspicious Office Child Process
id: 8f4a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c
status: experimental
description: Detects Microsoft Office applications spawning suspicious child processes commonly used in GREYVIBE AI-generated phishing payloads.
references:
- https://attack.mitre.org/techniques/T1566/
- https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1566
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\OUTLOOK.EXE'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate macro usage for document automation
- Local administrative scripts
level: high
---
title: GREYVIBE AI-Generated Script Obfuscation
id: 9g5b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects PowerShell command lines characteristic of AI-generated obfuscation, specifically high entropy compression and encoding often used to bypass filters.
references:
- https://attack.mitre.org/techniques/T1027/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith: '\powershell.exe'
selection_obfuscation:
CommandLine|contains:
- 'FromBase64String'
- 'DeflateStream'
- 'IO.Compression'
condition: selection_pwsh and selection_obfuscation
falsepositives:
- Admin script deployment tools
- Legitimate software installers
level: medium
KQL (Microsoft Sentinel)
// Hunt for GREYVIBE activity: Office spawning shell or encoded commands
let OfficeProcs = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"]);
let SuspiciousProcs = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe"]);
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ OfficeProcs and FileName in~ SuspiciousProcs
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| where ProcessCommandLine contains "EncodedCommand" or ProcessCommandLine contains "-enc" or ProcessCommandLine contains "FromBase64String"
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious Office process launches and recent macro downloads
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'powershell.exe'
AND CommandLine =~ 'FromBase64String|DeflateStream'
-- Supplement: Hunt for recent Office documents from internet
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="*/Users/*/Downloads/*.doc*", root="/")
WHERE Mtime > now() - 7d
Remediation Script (PowerShell)
<#
.SYNOPSIS
Hardens endpoints against GREYVIBE AI-phishing vectors.
.DESCRIPTION
Disables macros from the internet and enables Attack Surface Reduction (ASR) rules.
#>
# Enable ASR Rule: Block Office applications from creating child processes
$asrRuleGUID = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"
try {
Set-MpPreference -AttackSurfaceReductionRules_Ids $asrRuleGUID -AttackSurfaceReductionRules_Actions Enabled
Write-Host "[SUCCESS] ASR Rule enabled: Block Office child processes."
} catch {
Write-Host "[ERROR] Failed to set ASR Rule. Ensure Microsoft Defender is running."
}
# Disable Office Macro Run (Block macros from running in Office files from the internet)
$regPath = "HKCU:\Software\Microsoft\Office\16.0\Word\Security"
if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
Set-ItemProperty -Path $regPath -Name "BlockContentExecutionFromInternet" -Value 1 -Type DWord
Write-Host "[SUCCESS] Blocked internet macros for Word."
Write-Host "Remediation complete. A reboot may be required for all policies to take effect."
Remediation
To effectively defend against GREYVIBE and similar AI-augmented threats, organizations should implement the following controls immediately:
- Attack Surface Reduction (ASR) Rules: Enable the Microsoft Defender ASR rule "Block Office applications from creating child processes." This directly mitigates the most common execution method used in document-based phishing.
- Macro Hardening: Configure Group Policy to disable macros from the Internet. Ensure VBA macro notifications are set to "Disable all with notification" or "Disable all except digitally signed."
- Email Filtering: Configure Secure Email Gateways (SEG) to sandbox Office documents. AI-generated lures are highly text-sophisticated; relying on link reputation is less effective than detonating attachments in a secure environment.
- User Verification Training: Conduct immediate security awareness training focusing on "out-of-band" verification. GREYVIBE uses AI to create contextually relevant urgency; users must be trained to verify requests for data transfer or payment via a secondary channel (e.g., phone call).
- PowerShell Constrained Language Mode: Where possible, enforce PowerShell Constrained Language Mode for general users to limit the execution of obfuscated scripts.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.