GREYVIBE Threat Actor Targets Ukraine and Related Entities Since August 2025

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine‑related entities since at least August 2025. The group is assessed to be a Russian‑speaking group operating broadly in the Russian time zone, and their activities align with Kremlin state interests, specifically when it comes to political, economic, and cyber‑security objectives. GREYVIBE has conducted phishing campaigns, distributed malware, and performed credential‑stealing operations against Ukrainian government agencies, NGOs, and private sector firms. The attackers use custom domains that mimic legitimate Ukrainian websites, making it difficult for users to detect malicious traffic. The group also leverages compromised email accounts to send spear‑phishing messages that contain malicious attachments or links. Their tactics, techniques, and procedures (TTPs) are consistent with other Russian‑aligned threat actors. Researchers identified a new backdoor that was deployed in late 2025 and used to maintain persistence on compromised systems. The activity demonstrates the continued threat posed by Russian‑aligned actors to Ukrainian entities.

GREYVIBE’s operations have been observed across multiple sectors, including defense, finance, and healthcare. The group’s phishing emails often reference local news or political events to increase credibility. The attackers also use a technique called “credential harvesting” by redirecting users to a fake login page that captures credentials. The researchers suggest monitoring for suspicious activity and implementing multi‑factor authentication for all critical accounts. The threat actor’s engagement with the Ukrainian‑related entities is ongoing, and the researchers highlight that the group’s public‑facing information is largely unknown. The incident highlights the need for heightened security awareness and security monitoring.