In recent weeks, a discreet cyber-espionage campaign has pierced the defenses of Russia’s military-industrial ecosystem, using artificial intelligence not as a weapon itself, but as a convincingly human voice drafting invitations, official letters and bureaucratic requests designed to deceive.
A Quiet Campaign Comes Into View
In late autumn, cybersecurity researchers began to notice something unusual: a cluster of Russian technology and defense-linked companies receiving documents that looked routine, even banal. Some appeared to be invitations to cultural events for senior officials. Others resembled formal correspondence from government ministries seeking regulatory clarifications on pricing. Written in fluent Russian and formatted to mimic official styles, the documents carried an air of authenticity. They were not authentic.
According to an analysis by the cybersecurity firm Intezer, the documents were decoys part of a cyber-espionage campaign that relied on AI-generated text to gain initial access to sensitive networks. The findings, shared by Intezer’s senior security researcher Nicole Fishbein, offer a rare glimpse into how widely available artificial intelligence tools are being integrated into real-world intelligence operations, particularly those targeting Russian entities during the war in Ukraine.
The campaign has not previously been reported, and its discovery underscores how difficult such operations are to detect, especially when the techniques rely less on exotic malware and more on social engineering refined by automation.
Paper Werewolf and the Problem of Attribution
Intezer attributed the activity to a group it tracks as “Paper Werewolf,” also known as GOFFEE a hacking collective active since 2022 that has focused almost exclusively on Russian targets. The attribution is based on technical infrastructure, the vulnerabilities exploited and the construction of the decoy documents themselves.
Yet Fishbein cautioned that attribution in cyberspace remains an inexact science. While the tradecraft points toward Paper Werewolf, it is still unclear whether the hackers were operating independently or in coordination with a nation-state or another aligned group.
Other researchers have suggested deeper connections. A September 2025 report by Kaspersky, the Russian cybersecurity firm, noted potential overlaps between Paper Werewolf and Cloud Atlas, a pro-Ukrainian hacking group with a history stretching back more than a decade. Cloud Atlas has previously targeted pro-Russian organizations across Eastern Europe and Central Asia, according to Check Point Research.
Why Defense Contractors Matter
The targets identified in the campaign were not random. According to Fishbein and other analysts, they included major Russian defense contractors working on air defense systems, sensitive electronics and military supply chains.
For attackers, access to such firms can yield intelligence far beyond individual blueprints or weapons systems. As Oleg Shakirov, a Russian cyber policy researcher, explained, contractors can provide visibility into production timelines, research and development processes, and vulnerabilities within defense supply chains.
“There is nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war,” Shakirov said. What stood out, he added, was the apparent expansion of targeting beyond traditional government agencies into a wider array of industrial and commercial actors.
Such access could complement other forms of pressure, including kinetic attacks. In recent months, Ukraine and its allies have intensified strikes on defense-related infrastructure, including drone attacks on supply chain entities inside Russia, according to public reporting.
Artificial Intelligence as an Enabler, Not the Story
The use of AI-generated documents sits at the center of the campaign, but experts caution against viewing the technology itself as the primary culprit. The documents did not rely on deepfake imagery or advanced automation; rather, they demonstrated how accessible tools can lower the barrier to entry for sophisticated social engineering.
“These cases show how emerging technologies can reduce the cost and complexity of high-impact attacks,” Fishbein said. “The core problem remains misuse, not the technology itself.”
One decoy document purported to come from Russia’s Ministry of Industry and Trade, requesting pricing justifications under government regulations. Another posed as an invitation to a concert for high-ranking officers. Each was plausible enough to prompt engagement the critical first step in many cyber intrusions.
Fishbein noted that the campaign offers a rare opportunity to study attacks on Russian entities, not because such attacks are uncommon, but because visibility into them is limited. Both Russian and Ukrainian embassies in Washington declined to comment on the findings.
