Skip to main content
Emerging ThreatsMalware & Ransomware

Russia-Linked GREYVIBE Exploits AI in Ukraine Cyberattacks

Laptop on a cluttered wooden desk in a small Ukrainian office with blurred screen.

"The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis.

GREYVIBE's timeline, profile, and targets

WithSecure attributes a previously undocumented actor it calls GREYVIBE to persistent campaigns against Ukraine and Ukraine-related entities dating back to at least August 2025. The company assesses GREYVIBE is a Russian‑speaking group operating broadly in the Russian time zone and that its activity aligns with Kremlin state interests in intelligence gathering related to the Russo‑Ukrainian war. Victims span military, government, civilian, and business-related organizations.

Five named attack chains and what they deliver

  • PhantomMail: Spear‑phishing emails deliver links to ZIP or RAR archives hosted on Google Drive and 4sync. These archives contain JavaScript-based loaders that launch a decoy document and a PowerShell-based RAT family known as PhantomRelay that profiles hosts and runs scripts and Windows commands.
  • PhantomClick: Fake CAPTCHA pages (ClickFix-style) hosted on bogus domains impersonating Zoom and LAPAS trick users into running commands that initiate a PhantomRelay infection chain.
  • PrincessClub: Fraudulent Ukrainian adult‑club websites delivered Android spyware FallSpy and Windows RATs such as PhantomRelayV1 or LegionRelay. Later lure pages added a WebRTC-based live call feature to capture victim audio and video. LegionRelay supports file enumeration and exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup; PhantomRelayV1 includes a custom watchdog persistence mechanism.
  • DroneLink: Malicious websites masquerading as charitable foundations supporting the Armed Forces of Ukraine were used to deliver WireGuard and LegionRelay.
  • Nebo: A FallSpy sample mimicked a Russian‑language login screen, likely intended to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal.

AI and LLM tooling observed in GREYVIBE operations

WithSecure reports evidence that GREYVIBE uses generative AI and large language models — specifically Ideogram AI, OpenAI ChatGPT, and Google Gemini — to assist with image generation and to develop components such as LegionRelay, obfuscation and loader scripts, backend infrastructure, and post‑compromise commands. The company explains the advantages: AI can bridge technical gaps, accelerate development, and reduce reliance on previously known tools that might aid attribution.

Mohammad Kazem Hassan Nejad warned of a broader operational implication: "If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time." At the same time, WithSecure notes that AI assistance introduced design flaws into LegionRelay that exposed backend functionality — a sign the group is “low‑to‑moderately” sophisticated and may include actors with non‑state‑level operational practices.

Ties to the cybercrime ecosystem and operational security lapses

GREYVIBE displays connections to the criminal ecosystem. WithSecure points to multiple indicators: possible use of an ISO builder with suspected ties to the TrickBot gang and UAC‑0098; PhantomRelay variants appearing in unrelated cybercrime clusters (including a Microsoft Teams voice phishing campaign from July 2025 to February 2026 and a KongTuke delivery chain in late February–late March 2026 that used ClickFix); early development and test samples uploaded to VirusTotal; developer naming conventions using internet slang like "letsrollboyos," "totallyunsus," and "cuteuwu"; and deployment of an XMRig miner on a small number of LegionRelay‑infected hosts.

Collectively, WithSecure assesses with moderate confidence that GREYVIBE has ties to the broader cybercrime ecosystem and with low‑to‑moderate confidence that it involves current or former cybercriminal members. The company explicitly states the exact nature of any relationship to the Russian state is unclear: members might have been absorbed into state activity, operate under state‑directed tasking, or form a hybrid team. "The group occupies a grey area between cybercrime and state‑affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories," WithSecure concluded.

What this means for Ukrainian military, security teams, and enterprises

  • Ukrainian military and Ukraine‑related entities: GREYVIBE has targeted this community with lures that mimic Russian login screens and charitable or social sites; they should expect multi‑vector social engineering that attempts to harvest credentials, audio/video, and device data.
  • Security teams and technologists: Defenders should note the varied delivery methods — hosted archives on Google Drive and 4sync, ClickFix fake CAPTCHA pages, WebRTC call features, Android spyware, and PowerShell‑based RATs — and consider detection and containment for both endpoint telemetry and web‑hosted lure infrastructure.
  • Enterprises and organizations outside government: The presence of LegionRelay variants in crimeware campaigns and the occasional deployment of a crypto miner underscore that GREYVIBE tooling can appear in financially motivated activity as well as espionage, increasing the chance of collateral infections across sectors.

GREYVIBE illustrates a hybrid operating model where AI accelerates tooling while human errors and cross‑pollination with criminal ecosystems leave forensic traces. Defenders and analysts will be watching whether AI‑assisted refactoring erodes familiar signatures and whether operational mistakes continue to provide the forensic footholds needed for attribution.

Source: The Hacker News — New Russian‑Linked GREYVIBE Targets Ukraine