Russia-Linked GREYVIBE Uses ChatGPT and Gemini to Launch AI-Powered Cyberattacks on Ukraine

Russia-linked threat group put ChatGPT to work from lure to payload

Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government Russia-linked cyber espionage crews appear to be using AI tools to help build malware, spin up infrastructure, and craft lures for attacks on Ukrainian targets. Researchers at WithSecure say a previously undocumented threat group, tracked as "GREYVIBE," has been using OpenAI's ChatGPT, Google's Gemini, and Ideogram AI across almost every stage of its operations targeting Ukraine. The campaign has hit military, government, civilian, and business organizations since at least August 2025. According to the report, GREYVIBE has used spear-phishing emails, fake CAPTCHA pages, and bogus Ukrainian adult club websites to lure victims into installing malware. The researchers linked the activity to Russian-speaking operators in the Moscow time zone who pursued targets aligned with Russian intelligence interests. What caught the researchers' attention, however, was the extent to which AI appears to be embedded throughout the operation. WithSecure said it found "strong evidence" that GREYVIBE systematically relied on AI tools for lure development, malware creation, infrastructure setup, obfuscation tooling, and post-compromise activity. The company said the group's use of AI appeared "operationally integrated rather than isolated or experimental." "The group's extensive use of GenAI and LLMs is a notable aspect of its tradecraft," wrote Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure. "GREYVIBE appears to use AI not only for isolated development tasks, but across multiple operational phases. This likely enables the group to compensate for capability gaps, accelerate development cycles, and potentially reduce historical backlinks to prior activity." Despite all the AI tooling, GREYVIBE hardly comes across as a cyber espionage dream team. WithSecure says the operators repeatedly made operational security mistakes, uploaded malware to public services, and left behind development artefacts with names including "letsrollboyos," "totallyunsus," and "cuteuwu." In one particularly unfortunate own goal, researchers say design flaws in GREYVIBE's LegionRelay malware, which they suspect was developed with LLM assistance, exposed parts of its backend infrastructure and allowed them to monitor activity over an extended period. The report lands as security vendors continue arguing over whether AI will produce a new generation of elite cyber operators or simply make existing criminals faster and more productive. GREYVIBE looks a lot closer to the second category. ®

GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors. The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests, although researchers cannot confidently classify it as a nation-state operation. Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations. The link to a Russian-speaking threat actor is supported by the language for the malware panels, comments in code artifacts, and command-and-control (C2) server time configured to UTC+3 (Moscow time). According to the researchers, GreyVibe has used several attack chains against its targets, including: * PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links, using decoy PDFs or fake errors while deploying malware. The observed lures impersonated Ukrainian government, emergency, telecom, and energy entities. * PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites trick victims into running self-infecting commands through fake Cloudflare verification prompts. * PrincessClub: Fake Ukrainian adult/dating websites delivering FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. The operators used fake female Telegram personas and later added WebRTC-based live calls that could capture the victim's audio/video. * DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs shared infrastructure and tooling with PrincessClub campaigns. * Nebo: Fake "СПО НЕБО" Russian military communications login pages were likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal. The diversity and quality of these lures are notable, and WithSecure says this is the result of using multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and realistic content to support them. The use of AI extends to the creation of tools as well, with the researchers mentioning LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all custom obfuscators that were likely developed with LLM assistance. A PowerShell-based remote access trojan named LegionRelay was also likely developed with assistance from AI tools, the researchers say. LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup. Another malware used by GreyVibe is PhantomRelay, also a PowerShell RAT. The malware supports system fingerprinting, dynamic script loading, and PowerShell and Windows command execution. Finally, the hackers employed the FallSpy Android spyware on the PrincessClub and Nebo campaigns, which is designed purely for collecting intelligence. The malware collects contact lists, call logs, device and network information, location data, media files, and SIM information. WithSecure notes that while GreyVibe activity is consistent with a nation-state operation, the threat actor "lacked the level of sophistication and operational discipline typically associated with mature nation-state actors." Furthermore, the PhantomRelay malware has been seen in cybercrime activity, although researchers could distinguish its usage from state-aligned operations. This led the researchers to believe that GreyVibe may include "current or former cybercriminal actors." Some evidence pointing to this theory includes the use in early and test samples of a unique ISO builder associated with a group of former TrickBot members (UAC-0098) that targeted Ukraine at the start of the Russian invasion. Furthermore, the threat actor uploaded development and test samples to a public scanning platform, which is not typical with nation-state actors. Additionally, a cryptocurrency miner was deployed on some victim machines. The researchers are unsure "whether former or current cybercriminal members have been absorbed into a state-backed group, operate independently but with state-directed tasking, or have formed a hybrid team involving state-affiliated and cybercriminal members." Organizations can set up defenses against GreyVibe's malicious activity by using the indicators of compromise (IoCs) provided by WithSecure.

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war. "The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. "Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware." The victimology footprint spans military, government, civilian, and business-related organizations. GREYVIBE, its nation-state-affiliated activity notwithstanding, also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminal actors. In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a "low-to-moderately sophisticated group" that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts. GREYVIBE has been observed using multiple attack chains against its targets - * PhantomMail, which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands. * PhantomClick, which uses ClickFix-style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain. * PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video. While FallSpy is an Android spyware capable of harvesting sensitive data from the compromised device, LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism. * DroneLink, which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay. * Nebo, which uses a FallSpy sample that mimics a Russian-language login screen, likely in an attempt to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal. The variety of delivery vectors and tools used in the attacks likely stems from the use of AI platforms, including Ideogram AI, OpenAI ChatGPT, and Google Gemini, to assist with generating images and developing LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands. The cybersecurity company said GREYVIBE's usage of AI serves multiple advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools that could aid in attribution efforts. "If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time," Nejad said. That said, the use of AI has also had the side effect of introducing design flaws into LegionRelay, exposing the malware's backend functionality. This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes. The hacking group's links to the cybercriminal ecosystem are based on multiple factors - * Possible access to and use of an ISO builder with suspected ties to the TrickBot gang and UAC-0098 * Presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters, such as a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware. * The upload of early development and test samples to VirusTotal * Use of internet slang terms like "letsrollboyos," "totallyunsus," and "cuteuwu" as naming conventions for development artifacts. * The deployment of XMRig miner on a small number of LegionRelay-infected machines "Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members," WithSecure said. "The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team." "The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories."