Russian-Linked GREYVIBE Group Intensifies AI-Powered Cyberattacks on Ukraine
Since August 2025, a previously unidentified cyber threat group known as GREYVIBE has been actively targeting Ukrainian entities across military, governmental, civilian, and business sectors. Cybersecurity firm WithSecure has linked GREYVIBE to Russian-speaking operatives functioning within the Russian time zone, aligning their activities with Kremlin interests, particularly in intelligence gathering amid the ongoing Russo-Ukrainian conflict.
GREYVIBE employs a multifaceted approach to infiltrate its targets, utilizing spear-phishing emails, counterfeit CAPTCHA pages, and deceptive Ukrainian adult club websites to distribute malware. These campaigns are characterized by custom-developed obfuscators, loaders, and malware designed to evade detection and compromise a diverse range of victims.
Notably, GREYVIBE’s operations exhibit a blend of state-sponsored objectives and connections to the Russian cybercriminal ecosystem, with some members believed to be current or former cybercriminals. This dual affiliation underscores the group’s complex nature, combining espionage with elements of cybercrime.
A significant aspect of GREYVIBE’s strategy is the integration of generative artificial intelligence (GenAI) and large language models (LLMs) to enhance their cyber operations. This AI-assisted approach facilitates the creation of sophisticated malware, obfuscation techniques, and the development of backend infrastructure, compensating for the group’s moderate technical proficiency and operational security lapses.
GREYVIBE has been observed employing multiple attack chains, including:
– PhantomMail: Utilizes spear-phishing emails containing links to malicious ZIP or RAR archives hosted on platforms like Google Drive and 4sync. These archives house JavaScript-based loaders that launch decoy documents and deploy PhantomRelay, a PowerShell-based remote access trojan (RAT) capable of profiling hosts and executing PowerShell scripts and Windows commands.
– PhantomClick: Employs fake CAPTCHA pages on fraudulent domains impersonating services such as Zoom and LAPAS. Victims are tricked into executing commands that initiate the PhantomRelay infection chain.
– PrincessClub: Distributes malware through counterfeit Ukrainian adult club websites, delivering FallSpy on Android devices and PhantomRelayV1 or LegionRelay on Windows systems. Advanced versions of these lure sites incorporate WebRTC-based live call features to capture audio and video from victims. FallSpy is an Android spyware designed to harvest sensitive data, while LegionRelay is a lightweight PowerShell-based RAT supporting file enumeration, exfiltration, screenshot capture, browser data theft, and setup of Remote Desktop Protocol (RDP) access. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism.
– DroneLink: Targets users through websites masquerading as charitable foundations supporting the Armed Forces of Ukraine, delivering WireGuard and LegionRelay malware.
– Nebo: Deploys a FallSpy sample that mimics a Russian-language login screen, likely aiming to deceive Ukrainian military personnel into believing they are accessing a Russian military terminal.
The diversity in GREYVIBE’s delivery vectors and tools is attributed to their use of AI platforms, including Ideogram AI, OpenAI’s ChatGPT, and Google’s Gemini. These technologies assist in generating images, developing malware like LegionRelay, creating obfuscation and loader scripts, establishing backend infrastructure, and formulating post-compromise commands.
WithSecure’s analysis highlights that GREYVIBE’s utilization of AI offers multiple advantages, such as bridging technical skill gaps and enhancing the sophistication of their cyber operations. However, the group’s operational security missteps provide valuable insights into their methodologies and objectives.
The emergence of GREYVIBE underscores the evolving landscape of cyber threats, where state-affiliated groups increasingly leverage AI to conduct espionage and cyberattacks. This development necessitates heightened vigilance and adaptive cybersecurity measures to counteract such sophisticated threats.
