New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

Summary

A new threat actor, GREYVIBE, has been targeting Ukraine since August 2025, aligning with Kremlin interests. The group uses spear-phishing, fake CAPTCHA pages, and fraudulent websites to deliver malware, leveraging AI to enhance their operations and develop tools.

Full text

New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks Ravie LakshmananMay 29, 2026Cyber Espionage / Artificial Intelligence A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war. "The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. "Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware." The victimology footprint spans military, government, civilian, and business-related organizations. GREYVIBE, its nation-state-affiliated activity notwithstanding, also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminal actors. In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a "low-to-moderately sophisticated group" that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts. GREYVIBE has been observed using multiple attack chains against its targets - PhantomMail, which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands. PhantomClick, which uses ClickFix-style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain. PrincessClub, which uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, with subsequent iterations of the lure sites introducing a WebRTC-based live call feature to capture victim audio and video. While FallSpy is an Android spyware capable of harvesting sensitive data from the compromised device, LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism. DroneLink, which uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay. Nebo, which uses a FallSpy sample that mimics a Russian-language login screen, likely in an attempt to deceive Ukrainian military personnel into thinking they were accessing a Russian military terminal. The variety of delivery vectors and tools used in the attacks likely stems from the use of AI platforms, including Ideogram AI, OpenAI ChatGPT, and Google Gemini, to assist with generating images and developing LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands. The cybersecurity company said GREYVIBE's usage of AI serves multiple advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools that could aid in attribution efforts. "If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time," Nejad said. That said, the use of AI has also had the side effect of introducing design flaws into LegionRelay, exposing the malware's backend functionality. This is another sign suggesting GREYVIBE may not be a pure nation-state actor, as sophisticated adversaries are unlikely to make such mistakes. The hacking group's links to the cybercriminal ecosystem are based on multiple factors - Possible access to and use of an ISO builder with suspected ties to the TrickBot gang and UAC-0098 Presence of PhantomRelay variants across seemingly unrelated cybercrime activity clusters, such as a Microsoft Teams voice phishing campaign between July 2025 and February 2026, and a KongTuke delivery chain between late February and late March 2026 that used ClickFix to distribute the malware. The upload of early development and test samples to VirusTotal Use of internet slang terms like "letsrollboyos," "totallyunsus," and "cuteuwu" as naming conventions for development artifacts. The deployment of XMRig miner on a small number of LegionRelay-infected machines "Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members," WithSecure said. "The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team." "The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  artificial intelligence, cyber espionage, cybersecurity, Malware, Phishing, Remote Access Trojan, Threat Intelligence, Ukraine, WithSecure ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure

Entities