Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks

Summary

WithSecure identified GreyVibe, a Russia-nexus threat actor actively targeting Ukrainian military, government, and business entities since August 2025. The group extensively leverages ChatGPT, Gemini, and other AI tools across all attack phases—from crafting phishing lures to developing custom malware (PhantomRelay, LegionRelay, Fallspy)—to increase operational velocity and scale. While attribution remains uncertain (cybercriminal, state-aligned, or hybrid), design flaws in GreyVibe's AI-generated malware and use of informal naming conventions suggest less-elite operators compensating for capability gaps through AI-driven automation.

Full text

Attackers use AI to increase velocity, scale and sophistication. Just as AI is improving, so will attackers’ use of it. GreyVibe is one to watch. GreyVibe, a previously undocumented threat actor, is described by WithSecure as a Russia-nexus group. The researchers are confident in their attribution of GreyVibe to Russian-speaking operators in the Moscow time zone, but are less certain whether the group is cybercriminal, nation-state – or a mix of the two. The primary focus of the group, targeting Ukrainian military, government, civilian, and business entities since August 2025, aligns closely with Russian state interests. At the same time, the researchers have detected numerous indications that at least some GreyVibe members may be socially less than optimum elite state operators – including, for example, their use of Internet slang-based naming conventions across early-stage development artefacts, such as ‘letsrollboyos’, ‘totallyunsus’, and ‘cuteuwu’. Another clue that may suggest GreyVibe is not a pure state actor comes from its intensive use of AI across every phase of its operations, “from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling,” say the researchers. Their report adds resource development including obfuscation and loader scripts, and post-compromise scripts. This itself means nothing, since all bad actors are using AI to add velocity and scale to their attacks. However, while the researchers detected the use of top tier AI including Ideogram AI, ChatGPT, and Google Gemini, GreyVibe introduced design flaws into its LLM-generated LegionRelay Windows malware. Mistakes are not something normally attributed to elite actors. This mistake enabled WithSecure researchers to monitor and track GreyVibe activity over an extended period since mid-2025. Such mistakes are not expected from elite attackers, and this may be why Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure adds, “What sets GREYVIBE apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to punch above its weight – accelerating development, filling capability gaps, and generating a largely fresh operational profile that complicates tracking and attribution. It’s a preview of how lower-sophistication actors will increasingly operate.” Advertisement. Scroll to continue reading. The initial lures and approaches from GreyVibe are varied and heavily supported by AI. Spear-phishing emails (at least six distinct campaigns, but with no mention of deepfakes) directed victims to ZIP or RAR archives on third-party file-sharing services such as Google Drive and 4sync. These would launch a decoy file to take the user’s attention while simultaneously initiating a PhantomRelay (Windows malware) infection chain in the background. A separate campaign, which the researchers call PrincessClub, used fake adult-club websites to deliver Fallspy (Android malware) and PhantomRelay or LegionRelay on Windows. Victims were further lured to the lure by fake female personas using Telegram or dating sites to direct them. This extensive use of AI not only compensates for capability gaps within GreyVibe but also reduces ‘historical backlinks to prior activity’. In short, we cannot be certain the group hasn’t previously been tracked under a different name by other researchers – but WithSecure has found no evidence of this. What it has detected, however, is the use of a unique ISO builder potentially linked to the TrickBot ecosystem and UAC-0098 (an activity cluster likely involving former TrickBot members previously also observed targeting Ukraine). GreyVibe is still active, and its members are still unknown. Going forward, its AI expertise is likely to increase. “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution,” says WithSecure. Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics. Related: UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia Related: Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend The Credential Crisis: How Stolen Credentials Defeat Modern Security‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery SystemsAppOmni’s Marlin AI Brings Autonomous Investigation to SaaS SecurityOpen Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker ImagesSupply Chain Security Crisis: Too Many Vulnerabilities, Too Little VisibilityAI-Powered App Attacks Are Faster, More Frequent and Harder to Stop1Password Teams With OpenAI to Stop AI Coding Agents From Leaking CredentialsLegacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Latest News Geordie Raises $30 Million for AI Security and Governance PlatformCarnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh AttacksIBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”New Edamame Platform Aims to Catch AI Coding Agents Going Off the RailsGitea Vulnerability Exposed 30,000 Deployments to AttacksRaising the Cybersecurity Stakes: Ante up for the Agentic Era Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Per

Indicators of Compromise

• malware — PhantomRelay
• malware — LegionRelay
• malware — Fallspy
• malware — TrickBot

Entities