AI-Generated Decoys Used in Cyberattacks
Russian technology companies involved in air defense, sensitive electronics, and other defense applications have faced cyberattacks in recent weeks. According to cybersecurity firm Intezer, the attacks involved AI-generated decoy documents. Senior security researcher Nicole Fishbein said this shows how AI tools can be quickly repurposed for high-stakes operations. The campaign also provides a rare view of hacking targeting Russian entities.
Pro-Ukrainian Group Likely Behind Attacks
The attacks, not previously reported, likely come from a group known as “Paper Werewolf” or GOFFEE. Fishbein said this group has been active since 2022, focusing almost exclusively on Russian targets. Analysts believe the group is pro-Ukrainian. The hack highlights the intensity of efforts by Ukraine and its allies to gain a military advantage. Recent months have also seen drone attacks on Russian defense supply chain entities.
Examples of AI-Decoy Documents
The campaign targeted multiple Russian companies. Fishbein found documents that appeared to be AI-generated decoys. For example, one document, written in Russian, looked like a concert invitation for high-ranking officers. Another claimed to come from the Ministry of Industry and Trade, requesting price justification under government regulations.
Implications for the Russian Defense Industry
Fishbein said the campaign is unusual because it offers insight into attacks on Russian entities. She added that AI-generated decoy documents show how easily accessible AI can be misused for malicious purposes. “Emerging technologies can lower the barrier for sophisticated attacks,” she said. “Misuse, not the technology itself, remains the core problem.”
The targets, all major defense contractors, suggest the attackers wanted access to Russia’s military industry. Oleg Shakirov, a Russian cyber policy researcher, said the attackers could gain insight into the production of scopes, air defense systems, supply chains, and R&D processes. Shakirov added that it is not surprising for pro-Ukrainian hackers to spy on Russian defense companies during the war. He suggested Paper Werewolf may have broadened its focus beyond government agencies, energy, finance, and telecoms.
Attribution and Links to Other Groups
Intezer linked the operation to Paper Werewolf based on the infrastructure, software vulnerabilities exploited, and the style of the decoy documents. Fishbein noted that it remains unclear whether the group worked with a specific nation-state or another hacking group. Other analysts have suggested connections between Paper Werewolf and other pro-Ukrainian efforts.
A September 2025 report by Russian cybersecurity firm Kaspersky noted potential overlaps between Paper Werewolf and Cloud Atlas, a pro-Ukrainian hacking group active for over a decade. Check Point, another cybersecurity firm, reported that the group targets pro-Russian entities in Eastern Europe and Central Asia.
