Russian technology companies working in air defense, sensitive electronics and other defense applications have been targeted in recent weeks by a cyberespionage group using AI-generated decoy documents, according to a cybersecurity analyst quoted by "Reuters".
The discovery by cybersecurity firm Intezer shows how AI tools can easily be used for high-stakes operations, said senior security researcher Nicole Fishbein, and offers a rare glimpse into hacking campaigns targeting Russian organizations.
The previously unreported campaign is likely the work of a group known as "Paper Werewolf" or GOFFEE - a hacking group active since 2022 that is widely considered pro-Ukrainian and has focused almost all of its efforts on Russian targets, Fishbein noted.
The hacking attack also shows how aggressively Ukraine and its allies are seeking to gain a military advantage in the war, which has included drone attacks on defense supply companies in recent months. The revelations come as delicate negotiations unfold over a potential end to Russia’s war in Ukraine, with Moscow threatening to seize more territory by force if Kiev and its European allies do not engage with U.S. peace overtures.
The hacking campaign targeted several Russian companies, according to alleged AI-generated decoy documents discovered by Fishbein, who is the lead author of an analysis prepared by Intezer.
In one case, an apparently AI-generated document pretends to be an invitation written in Russian to a concert for high-ranking military officers. In another case, a document purports to be from the Russian Federation’s Ministry of Industry and Trade, requesting a price justification under government regulations on pricing, according to the analysis.
Fishbein said the campaign stands out as a rare opportunity to explore attacks on Russian organizations. "This is not necessarily because these attacks are rare, but because visibility into them is limited," she said.
The group's use of AI-generated decoy documents also demonstrates how "the available tools of AI can be used for malicious purposes," Fishbein said. "(This) shows how emerging technologies can lower the barrier to sophisticated attacks and why misuse, not the technology itself, remains the main problem."
The targets being major defense contractors demonstrate the attackers' broad interest in the Russian military industry, said Oleg Shakirov, a cyber policy researcher in Russia, with potential access to contractors offering visibility into "the production of everything from sights to air defense systems, but also defense supply chains and R&D processes."
"There is nothing unusual about pro-Ukrainian hackers trying to spy on Russian defense companies during the war," Shakirov added, while suggesting that Paper Werewolf may have expanded its targets beyond government agencies, energy, finance and telecommunications to other sectors.
While Intezer attributes the operation to Paper Werewolf, based on the infrastructure supporting the effort, the specific software vulnerabilities used, and the way the decoy documents were constructed, Fishbein says it is an open question whether the hackers were working with a specific nation-state or another hacking group.
However, others have suggested a connection between the group and other known pro-Ukrainian hacking initiatives. A September 2025 report published by Russian cybersecurity firm Kaspersky indicated that Paper Werewolf has potential overlaps with Cloud Atlas, a pro-Ukrainian hacking group dating back more than a decade. The group is known for targeting pro-Russian organizations in Eastern Europe and Central Asia, according to cybersecurity firm Check Point.