Overview A newly identified threat actor known as GREYVIBE has been linked to ongoing AI‑powered cyber‑espionage campaigns targeting Ukraine and Ukraine‑related entities since August 2025. According to WithSecure, the group operates within the Russian time zone, aligning its activities with Kremlin‑backed intelligence objectives amid the ongoing Russo‑Ukrainian conflict.
GREYVIBE’s operations reveal a hybrid of nation‑state tactics and cybercriminal behavior, leveraging generative AI (GenAI) and large language models (LLMs) to accelerate malware development and obfuscation.
Attack Vectors
The group employs multiple delivery chains, each tailored to specific targets:
| Campaign Name | Technique | Payload / Objective |
|---|---|---|
| PhantomMail | Spear‑phishing emails with malicious ZIP/RAR archives hosted on Google Drive and 4sync | JavaScript loaders launch decoy documents and deploy PhantomRelay RAT |
| PhantomRelay | PowerShell‑based remote access trojan | Profiles host, executes Windows commands, and maintains persistence |
| PhantomClick | Fake CAPTCHA pages on domains mimicking Zoom and LAPAS | Triggers PhantomRelay infection chain |
| PrincessClub | Fake adult‑club websites | Delivers FallSpy (Android spyware) and LegionRelay (Windows RAT) |
| DroneLink | Fake charitable foundation sites | Deploys WireGuard and LegionRelay |
| Nebo | FallSpy variant mimicking Russian military login | Deceives Ukrainian military personnel |
AI‑Driven Operations
GREYVIBE’s use of AI platforms — including Ideogram AI, OpenAI ChatGPT, and Google Gemini — provides several operational advantages:
- Accelerated malware development through automated code generation and refactoring.
- Enhanced obfuscation and loader creation to evade detection.
- Reduced attribution by replacing technical artifacts frequently.
However, WithSecure notes that AI integration has also introduced design flaws in GREYVIBE’s malware — particularly LegionRelay — exposing backend functionality and suggesting the group’s limited sophistication compared to top‑tier state actors.
Victimology
GREYVIBE’s targets span:
- Military and government institutions
- Civilian and business organizations
- Individuals connected to Ukrainian defense and logistics sectors
The group’s campaigns combine espionage motives with financial opportunism, reflecting crossover between state‑aligned hackers and cybercriminal networks.
Defensive Recommendations
Organizations should strengthen defenses against AI‑assisted threat actors by:
- Implementing behavioral detection for PowerShell and JavaScript loaders.
- Monitoring AI‑generated content for obfuscation patterns.
- Restricting access to external file‑sharing services like Google Drive and 4sync.
- Training personnel to identify spear‑phishing and fake CAPTCHA lures.
Expert in the Cloud Insight
GREYVIBE exemplifies the next evolution of hybrid warfare — where AI‑assisted cyber operations blur the line between espionage and crime. As generative AI becomes more accessible, adversaries can scale attacks faster, reduce attribution, and customize payloads with unprecedented precision.
For defenders, the challenge is clear: AI‑driven threats require AI‑driven defense. Continuous monitoring, adaptive threat intelligence, and proactive patching are essential to counter this emerging wave of machine‑augmented adversaries.
Leave a Reply