top of page

Russian-Linked GREYVIBE Hacking Group Uses AI to Target Ukraine

  • May 29
  • 3 min read

Key Findings


  • Russian-linked threat actor GREYVIBE has conducted persistent cyberattacks against Ukraine and Ukrainian entities since at least August 2025

  • The group operates from Russian time zones and aligns with Kremlin state interests, particularly intelligence gathering related to the Russo-Ukrainian war

  • GREYVIBE employs five distinct attack chains using spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom malware

  • The group leverages generative AI and large language models to accelerate malware development, generate images, and create obfuscation scripts

  • Evidence indicates GREYVIBE has connections to the Russian cybercrime ecosystem and likely includes current or former cybercriminal members

  • Assessment indicates low-to-moderate sophistication with operational security failures suggesting hybrid criminal-state nexus rather than pure nation-state actor


Background


WithSecure researchers identified GREYVIBE as a previously undocumented threat actor targeting military, government, civilian, and business organizations across Ukraine and Ukraine-related entities. The group operates during Russian business hours and its activities directly support Russian state intelligence objectives in the ongoing conflict. What distinguishes GREYVIBE from traditional nation-state actors is its blended operational model - state-aligned objectives paired with ties to cybercriminal networks and consistent operational security mistakes typical of less experienced groups.


Attack Infrastructure and Delivery Methods


GREYVIBE deploys five primary attack chains, each with distinct lures and payloads. PhantomMail uses spear-phishing emails containing links to malicious archives hosted on Google Drive and 4sync, delivering JavaScript-based loaders that execute PhantomRelay. PhantomClick mimics ClickFix-style attacks with fake CAPTCHA pages impersonating Zoom and LAPAS services to trick users into running commands that trigger PhantomRelay infections.


PrincessClub represents the group's most elaborate social engineering effort, deploying fake Ukrainian adult-club websites to distribute FallSpy Android spyware or Windows RATs. Later iterations added WebRTC-based live video features to capture audio and video from compromised devices in real time.


DroneLink uses websites masquerading as charitable foundations supporting the Ukrainian Armed Forces to deliver WireGuard VPN software alongside LegionRelay. Nebo deploys FallSpy variants mimicking Russian military login screens, apparently designed to deceive Ukrainian military personnel into believing they were accessing legitimate Russian systems.


Custom Malware Arsenal


The group developed multiple custom tools including PhantomRelay, a PowerShell-based remote access trojan capable of profiling hosts and executing arbitrary PowerShell scripts and Windows commands. PhantomRelayV1 adds a custom watchdog persistence mechanism. LegionRelay is a lightweight PowerShell RAT supporting file enumeration, exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data theft, and RDP access setup.


FallSpy functions as Android spyware designed to harvest sensitive data from compromised mobile devices. These tools employ custom obfuscators and loaders that reduce reliance on known malware signatures, complicating attribution and clustering efforts.


AI-Assisted Development and Operations


GREYVIBE extensively leverages AI platforms including OpenAI ChatGPT, Google Gemini, and Ideogram AI across multiple operational phases. The group uses AI for image generation, malware code development, obfuscation script creation, backend infrastructure design, and post-compromise command generation.


This reliance on AI provides distinct operational advantages. It bridges technical expertise gaps, accelerates development cycles, and enables rapid generation and replacement of malware components to evade traditional technical artifact-based clustering methods. As researchers increasingly depend on stable technical indicators for attribution, a group capable of frequently regenerating its toolset becomes progressively harder to track.


Operational Security Failures and Design Flaws


Despite AI assistance, GREYVIBE exhibits numerous operational security failures inconsistent with sophisticated nation-state actors. Design flaws in LegionRelay exposed backend functionality to researchers. The group uploaded early development and test samples to VirusTotal during development phases. Development artifacts were named using internet slang including "letsrollboyos," "totallyunsus," and "cuteuwu."


Most notably, the group deployed XMRig cryptocurrency miners on infected machines - activity inconsistent with disciplined intelligence operations but typical of cybercriminal actors. These mistakes suggest GREYVIBE represents a hybrid threat combining state-aligned objectives with less mature operational tradecraft.


Links to Russian Cybercrime Networks


Evidence indicates GREYVIBE maintains connections to the broader Russian cybercrime ecosystem. The group appears to have access to ISO builder tools with suspected ties to the TrickBot gang and UAC-0098. PhantomRelay variants appeared in seemingly unrelated cybercrime campaigns including a Microsoft Teams voice-phishing operation between July 2025 and February 2026, and a separate KongTuke delivery chain using ClickFix between late February and March 2026.


These overlaps suggest either shared access to common tools, operational cross-contamination, or potential membership overlap between GREYVIBE and established cybercriminal groups. The blurred boundaries between state-aligned activity and cybercriminal operations complicate traditional attribution frameworks and suggest a less hierarchical command structure than typical APT operations.


Sources


  • https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html

  • https://securityaffairs.com/192877/apt/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-rookie-mistakes.html

  • https://x.com/Dinosn/status/2060353659964149974

  • https://www.linkedin.com/posts/dlross_new-russian-linked-greyvibe-targets-ukraine-activity-7466231909371576320-j32H

  • https://x.com/TheCyberSecHub/status/2060331155078140005

  • https://www.reddit.com/r/SecOpsDaily/comments/1tr1aeb/new_russianlinked_greyvibe_targets_ukraine_with

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page