Russian-Linked GREYVIBE Hacking Group Uses AI to Target Ukraine
- May 29
- 3 min read
Key Findings
Russian-linked threat actor GREYVIBE has conducted persistent cyberattacks against Ukraine and Ukrainian entities since at least August 2025
The group operates from Russian time zones and aligns with Kremlin state interests, particularly intelligence gathering related to the Russo-Ukrainian war
GREYVIBE employs five distinct attack chains using spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver custom malware
The group leverages generative AI and large language models to accelerate malware development, generate images, and create obfuscation scripts
Evidence indicates GREYVIBE has connections to the Russian cybercrime ecosystem and likely includes current or former cybercriminal members
Assessment indicates low-to-moderate sophistication with operational security failures suggesting hybrid criminal-state nexus rather than pure nation-state actor
Background
WithSecure researchers identified GREYVIBE as a previously undocumented threat actor targeting military, government, civilian, and business organizations across Ukraine and Ukraine-related entities. The group operates during Russian business hours and its activities directly support Russian state intelligence objectives in the ongoing conflict. What distinguishes GREYVIBE from traditional nation-state actors is its blended operational model - state-aligned objectives paired with ties to cybercriminal networks and consistent operational security mistakes typical of less experienced groups.
Attack Infrastructure and Delivery Methods
GREYVIBE deploys five primary attack chains, each with distinct lures and payloads. PhantomMail uses spear-phishing emails containing links to malicious archives hosted on Google Drive and 4sync, delivering JavaScript-based loaders that execute PhantomRelay. PhantomClick mimics ClickFix-style attacks with fake CAPTCHA pages impersonating Zoom and LAPAS services to trick users into running commands that trigger PhantomRelay infections.
PrincessClub represents the group's most elaborate social engineering effort, deploying fake Ukrainian adult-club websites to distribute FallSpy Android spyware or Windows RATs. Later iterations added WebRTC-based live video features to capture audio and video from compromised devices in real time.
DroneLink uses websites masquerading as charitable foundations supporting the Ukrainian Armed Forces to deliver WireGuard VPN software alongside LegionRelay. Nebo deploys FallSpy variants mimicking Russian military login screens, apparently designed to deceive Ukrainian military personnel into believing they were accessing legitimate Russian systems.
Custom Malware Arsenal
The group developed multiple custom tools including PhantomRelay, a PowerShell-based remote access trojan capable of profiling hosts and executing arbitrary PowerShell scripts and Windows commands. PhantomRelayV1 adds a custom watchdog persistence mechanism. LegionRelay is a lightweight PowerShell RAT supporting file enumeration, exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data theft, and RDP access setup.
FallSpy functions as Android spyware designed to harvest sensitive data from compromised mobile devices. These tools employ custom obfuscators and loaders that reduce reliance on known malware signatures, complicating attribution and clustering efforts.
AI-Assisted Development and Operations
GREYVIBE extensively leverages AI platforms including OpenAI ChatGPT, Google Gemini, and Ideogram AI across multiple operational phases. The group uses AI for image generation, malware code development, obfuscation script creation, backend infrastructure design, and post-compromise command generation.
This reliance on AI provides distinct operational advantages. It bridges technical expertise gaps, accelerates development cycles, and enables rapid generation and replacement of malware components to evade traditional technical artifact-based clustering methods. As researchers increasingly depend on stable technical indicators for attribution, a group capable of frequently regenerating its toolset becomes progressively harder to track.
Operational Security Failures and Design Flaws
Despite AI assistance, GREYVIBE exhibits numerous operational security failures inconsistent with sophisticated nation-state actors. Design flaws in LegionRelay exposed backend functionality to researchers. The group uploaded early development and test samples to VirusTotal during development phases. Development artifacts were named using internet slang including "letsrollboyos," "totallyunsus," and "cuteuwu."
Most notably, the group deployed XMRig cryptocurrency miners on infected machines - activity inconsistent with disciplined intelligence operations but typical of cybercriminal actors. These mistakes suggest GREYVIBE represents a hybrid threat combining state-aligned objectives with less mature operational tradecraft.
Links to Russian Cybercrime Networks
Evidence indicates GREYVIBE maintains connections to the broader Russian cybercrime ecosystem. The group appears to have access to ISO builder tools with suspected ties to the TrickBot gang and UAC-0098. PhantomRelay variants appeared in seemingly unrelated cybercrime campaigns including a Microsoft Teams voice-phishing operation between July 2025 and February 2026, and a separate KongTuke delivery chain using ClickFix between late February and March 2026.
These overlaps suggest either shared access to common tools, operational cross-contamination, or potential membership overlap between GREYVIBE and established cybercriminal groups. The blurred boundaries between state-aligned activity and cybercriminal operations complicate traditional attribution frameworks and suggest a less hierarchical command structure than typical APT operations.
Sources
https://thehackernews.com/2026/05/new-russian-linked-greyvibe-targets.html
https://securityaffairs.com/192877/apt/meet-greyvibe-the-russian-linked-hacking-group-using-ai-to-target-ukraine-and-still-making-rookie-mistakes.html
https://x.com/Dinosn/status/2060353659964149974
https://www.linkedin.com/posts/dlross_new-russian-linked-greyvibe-targets-ukraine-activity-7466231909371576320-j32H
https://x.com/TheCyberSecHub/status/2060331155078140005
https://www.reddit.com/r/SecOpsDaily/comments/1tr1aeb/new_russianlinked_greyvibe_targets_ukraine_with

Comments