Russia-Linked GreyVibe Group Uses AI to Supercharge Cyberattacks Against Ukraine
WithSecure researchers have identified GreyVibe, a Russia-linked threat actor, extensively using AI tools like ChatGPT and Gemini to enhance phishing, malware development, and reconnaissance operations targeting Ukrainian entities.
Researchers at WithSecure have uncovered a previously undocumented threat actor, GreyVibe, which is heavily leveraging artificial intelligence to bolster its cyberattack capabilities. The group, assessed to be linked to Russian-speaking operators in the Moscow time zone, has been active since August 2025, primarily targeting Ukrainian military, government, civilian, and business entities. The use of AI across multiple phases of operations marks a significant evolution in how state-aligned and criminal groups are scaling their attacks.
GreyVibe employs AI tools including ChatGPT, Google Gemini, and Ideogram AI for a wide range of tasks. These include generating convincing phishing lures, crafting malicious code, automating reconnaissance, and developing custom malware. The group's reliance on AI compensates for capability gaps and reduces historical backlinks to prior activity, complicating tracking and attribution. WithSecure notes that GreyVibe's operational ambition, powered by AI, allows it to punch above its weight.
The group's initial access methods are varied and AI-supported. Spear-phishing emails direct victims to ZIP or RAR archives hosted on third-party file-sharing services like Google Drive and 4sync. These archives launch decoy files while simultaneously initiating infection chains for PhantomRelay or LegionRelay Windows malware. Another campaign, dubbed PrincessClub, uses fake adult-club websites to deliver Fallspy Android malware and PhantomRelay or LegionRelay on Windows, with victims lured via fake female personas on Telegram or dating sites.
Despite the extensive use of AI, GreyVibe has made operational mistakes. The researchers detected design flaws in its LLM-generated LegionRelay malware, which allowed them to monitor and track the group's activity over an extended period. Such errors are not typical of elite state-sponsored actors, leading WithSecure to suggest that GreyVibe may be a mix of cybercriminal and nation-state elements, or a lower-sophistication actor empowered by AI.
WithSecure also found evidence linking GreyVibe to a unique ISO builder potentially associated with the TrickBot ecosystem and UAC-0098, an activity cluster involving former TrickBot members previously observed targeting Ukraine. This connection suggests possible overlap with known cybercriminal infrastructure.
The group remains active, and its members are still unidentified. WithSecure expects GreyVibe's tradecraft to continue evolving as its AI expertise grows, increasing the complexity of detection and attribution. Whether the group will expand its focus beyond Ukraine remains uncertain, but its alignment with Russian state interests makes broader targeting plausible given the current geopolitical landscape.
This case underscores a broader trend: the adoption of AI by threat actors to accelerate development, fill capability gaps, and generate fresh operational profiles. As AI tools become more accessible, even lower-sophistication groups can mount sophisticated campaigns, posing new challenges for defenders.
WithSecure's full report, published alongside this article, details five distinct attack chains used by GreyVibe — PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo — each employing AI-generated lures and custom malware such as the FallSpy Android spyware and the LegionRelay PowerShell RAT. The researchers note that while the group's activity aligns with Russian state interests, the use of a cryptocurrency miner on some victims and sloppy operational security (e.g., uploading test samples to public scanning platforms) suggests the group may include current or former cybercriminal actors, possibly linked to the former TrickBot group UAC-0098.