Artificial intelligence is fundamentally changing how cybercriminals operate, and most organizations' security training hasn't caught up. A newly documented Russian-linked threat group called GREYVIBE is leveraging generative AI platforms to accelerate malware development, craft convincing phishing campaigns, and reduce reliance on known attack tools that could aid in attribution. Meanwhile, traditional cybersecurity awareness programs remain largely static, annual checkbox exercises that fail to address the speed and sophistication of AI-assisted threats.

How Are Attackers Using AI to Supercharge Their Operations?

GREYVIBE, assessed by WithSecure to be a Russian-speaking group operating in the Russian time zone with activities aligned with Kremlin interests, has been targeting Ukraine and Ukraine-related entities since at least August 2025. What makes this group notable is not just its geopolitical focus, but its deliberate use of AI to bridge technical gaps and accelerate its attack lifecycle.

The group has leveraged multiple AI platforms, including OpenAI's ChatGPT, Google Gemini, and Ideogram AI, to assist with generating images, developing malware variants, creating obfuscation scripts, and even designing backend infrastructure. This approach offers attackers several concrete advantages:

• Faster Development Cycles: AI can generate, refactor, and replace malware components in hours rather than weeks, allowing attackers to stay ahead of detection and patching.
• Reduced Attribution Risk: By frequently regenerating code and tools with AI assistance, attackers make traditional clustering methods based on stable technical artifacts less reliable, complicating forensic analysis.
• Lower Skill Barriers: AI platforms democratize attack development, allowing less sophisticated actors to produce professional-grade malware and social engineering campaigns without deep technical expertise.

GREYVIBE's attack chains demonstrate this capability in practice. The group has deployed PhantomMail (spear-phishing with malicious archives), PhantomClick (fake CAPTCHA pages mimicking Zoom and other services), and PrincessClub (fraudulent Ukrainian websites delivering spyware). Each campaign shows signs of AI-assisted development, yet the group has also made operational security mistakes, suggesting it is a "low-to-moderately sophisticated group" that relies on AI to compensate for gaps in expertise.

Why Is Traditional Security Awareness Training Falling Behind?

The cybersecurity industry has long recognized that human behavior is the weakest link in security defenses. According to the 2026 Verizon Data Breach Investigations Report, 62% of all breaches involve the human element, meaning an employee was manipulated, deceived, or made an error that provided initial access. Yet most organizations address this vulnerability through annual compliance training, a format that was never designed to counter the speed and personalization of AI-powered attacks.

The distinction between compliance training and genuine behavioral change is critical. Compliance training satisfies regulatory mandates like SOC 2, HIPAA, PCI DSS, GDPR, or ISO 27001 through annual, mandatory modules and documentation. Security awareness training, by contrast, is meant to be a continuous behavioral program designed to reduce employee susceptibility to phishing, vishing (voice phishing), and deepfake impersonation attacks. Many organizations treat these as equivalent, fulfilling the letter of regulatory requirements while leaving underlying human vulnerability unaddressed.

The problem has intensified with AI. Modern attack campaigns now include deepfake video attacks, AI-generated spear phishing emails, and cloned executive voices for vishing calls. Legacy training programs that focus only on standard email phishing leave employees exposed to these faster-growing breach categories. As one cybersecurity awareness training guide noted, "No technical control intercepts a threat that an employee willingly acts upon".

What Do Organizations Need to Do Differently?

Security leaders are increasingly moving beyond static training completion metrics toward continuous human risk management, which measures individual risk scores in real time based on behavioral signals. This represents a fundamental shift in how organizations approach the human layer of cybersecurity.

The evidence supporting this shift is compelling. According to Fortinet's 2025 Security Awareness and Training Global Research Report, 67% of organizations report moderate or meaningful reductions in intrusions, incidents, and breaches after rolling out security awareness training. Given that the average data breach now costs $4.44 million according to IBM's 2025 Cost of a Data Breach Report, even preventing a fraction of human-layer incidents produces returns that substantially exceed program costs.

Organizations should consider these practical steps to strengthen their defenses against AI-powered threats:

• Move Beyond Annual Training: Replace one-time compliance modules with continuous behavioral programs that include simulated phishing, vishing, and deepfake scenarios updated regularly to reflect current attack tactics.
• Implement Human Risk Scoring: Deploy systems that measure individual risk in real time based on behavioral signals, simulation performance, and exposure data, rather than relying on completion percentages.
• Train on AI-Specific Threats: Ensure employees understand deepfake video and audio attacks, AI-generated spear phishing, and voice cloning techniques, not just traditional email phishing.
• Measure Risk Reduction Over Time: Track metrics like simulation performance improvement across departments, phishing-related incident rates before and after deployment, and risk score trends to demonstrate ROI to boards.

The gap between attacker capability and organizational readiness is widening. GREYVIBE's use of AI to accelerate malware development and reduce attribution risk demonstrates that threat actors are moving faster than most security awareness programs can adapt. Organizations that continue to rely on annual compliance training and static content will find themselves increasingly vulnerable to AI-assisted social engineering campaigns designed to exploit the human layer at scale.

"If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time," noted Mohammad Kazem Hassan Nejad, WithSecure researcher.

Mohammad Kazem Hassan Nejad, WithSecure Researcher

The path forward requires organizations to treat human risk management as a continuous, data-driven discipline rather than a checkbox compliance exercise. As AI-powered attacks become faster and more convincing, the organizations that invest in ongoing behavioral training and real-time risk measurement will be the ones that actually reduce breach probability, not just audit compliance.