Skip to main content
Emerging ThreatsMalware & Ransomware

GreyVibe hackers wield AI tools to fuel multi-sector cyberattacks

Empty office interior with a single open laptop on a desk.

"lacked the level of sophistication and operational discipline typically associated with mature nation-state actors," WithSecure concluded after analysing a campaign that mixes AI-generated social engineering with a broad custom malware toolset.

GreyVibe’s targets, timeline, and discovery

WithSecure discovered activity by a likely Russian threat group tracked as GreyVibe in January 2026 and traces the campaign back to at least August 2025. The group has focused its operations on Ukrainian or Ukraine-related organisations, using multiple attack chains to target military, government, civilian, and business sectors.

AI-generated lures: ChatGPT, Ideogram AI, and Google Gemini

Researchers say GreyVibe employed several AI tools — including ChatGPT, Ideogram AI, and Google Gemini — to generate detailed, realistic content supporting their lures. Those lures appeared across a variety of delivery techniques and decoy sites:

  • PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives through Google Drive and 4sync links, using decoy PDFs or fake errors. Observed lures impersonated Ukrainian government, emergency, telecom, and energy entities.
  • PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites that trick victims into running self-infecting commands via fake Cloudflare verification prompts.
  • PrincessClub: Fake Ukrainian adult and dating websites that delivered FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. Operators used fake female Telegram personas and later added WebRTC-based live calls capable of capturing a victim’s audio and video.
  • DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs that shared infrastructure and tooling with PrincessClub campaigns.
  • Nebo: Fake “СПО НЕБО” Russian military communications login pages likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal.

LegionRelay, PhantomRelay, FallSpy, and custom obfuscators

GreyVibe’s toolkit included multiple PowerShell-based remote access trojans and Android spyware. WithSecure attributes several capabilities to AI-assisted development:

  • LegionRelay: A PowerShell-based RAT likely developed with AI assistance. It supports file theft, screenshot capture, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup.
  • PhantomRelay: Another PowerShell RAT used for system fingerprinting, dynamic script loading, and executing PowerShell and Windows commands.
  • FallSpy: Android spyware used in the PrincessClub and Nebo campaigns, designed to collect contact lists, call logs, device and network information, location data, media files, and SIM information.
  • Custom obfuscators: Named components LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP were observed; WithSecure notes these obfuscators were likely developed with large language model assistance.

Evidence of Russian-language ties and criminal overlaps

While the campaign “appears to align with Russian state interests,” researchers stopped short of confidently classifying GreyVibe as a nation-state operation. The link to a Russian-speaking actor rests on multiple data points: malware panel language, comments in code artifacts, and command-and-control servers configured to UTC+3 (Moscow time).

At the same time, WithSecure highlighted signs of cybercriminal involvement or heritage: early and test samples used a unique ISO builder associated with a group of former TrickBot members (UAC-0098) that targeted Ukraine at the start of the Russian invasion; PhantomRelay has been seen in cybercrime activity though its use in state-aligned operations could be distinguished; the actor even uploaded development and test samples to a public scanning platform — behaviour atypical for nation-state operators. Some victim machines also received a cryptocurrency miner.

What this means for security teams, Ukrainian organisations, and general users

Security teams: WithSecure provides indicators of compromise (IoCs) that organisations can use to detect and defend against GreyVibe activity. Automated pentesting tools “deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold,” a point the researchers highlight when considering defensive validation.

Ukrainian or Ukraine-related organisations: The campaign’s lures specifically impersonated Ukrainian government, emergency, telecom, energy, and military-themed services, including fake charity and communications portals. Those entities — and partners supporting them — are explicit targets in the observed activity.

End users: The threat actor’s use of deceptive webpages, fake Cloudflare verification prompts, and social-engineered Telegram personas demonstrates a focus on convincing victims to run commands or install packages. Android users exposed to PrincessClub or Nebo decoys risk comprehensive data collection via FallSpy.

GreyVibe’s campaign illustrates a converging trend: AI tools used to produce highly credible lures and to assist malware development, combined with artefacts that point both to a Russian-speaking origin and to operators with cybercriminal lineage. Whether the result is a hybrid organisation, absorbed criminal actors working under state direction, or an independent group following state-aligned tasking remains unresolved — and that ambiguity is the campaign’s clearest operational risk.

Source: BleepingComputer — GreyVibe hackers use ChatGPT, Gemini to power cyberattacks