New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

The newly identified threat actor, GREYVIBE, has been actively targeting Ukraine and related entities since at least August 2025. According to cybersecurity firm WithSecure, GREYVIBE is believed to be a Russian-speaking group operating within the Russian time zone, with activities that align with Kremlin interests, particularly in intelligence gathering related to the ongoing Russo-Ukrainian conflict. GREYVIBE employs a variety of attack methods, including spear-phishing emails, fake CAPTCHA pages, and fraudulent Ukrainian adult club websites, to deliver malware to a wide range of victims. These victims include military, government, civilian, and business organizations. The group uses custom-developed obfuscators, loaders, and malware, indicating a sophisticated approach to cyberattacks. The group is also linked to the broader Russian cybercrime ecosystem, with some members suspected to be current or former cybercriminals. GREYVIBE's operations are enhanced by the use of generative artificial intelligence (GenAI) and large language models (LLMs), which aid in malware development and operational efficiency. Despite this, the group is characterized as "low-to-moderately sophisticated" due to operational security errors. GREYVIBE utilizes multiple attack chains, such as PhantomMail, which distributes malicious archives via spear-phishing emails, and PhantomRelay, a PowerShell-based remote access trojan (RAT). Other methods include PhantomClick, which uses fake CAPTCHA pages, and PrincessClub, which delivers spyware through fake adult club websites. These attacks target both Android and Windows devices, employing various tools like FallSpy and LegionRelay. The group also uses DroneLink, which masquerades as charitable foundations to deliver malware, and Nebo, which deceives Ukrainian military personnel with a fake Russian login screen. The diversity in attack vectors and tools is likely due to the use of AI platforms to generate images, develop malware, and create obfuscation scripts. GREYVIBE's use of AI offers several advantages, such as bridging technical gaps and accelerating development. However, it also introduces design flaws, as seen in LegionRelay, which exposes backend functionality. These flaws suggest that GREYVIBE may not be a purely nation-state actor, as more sophisticated adversaries typically avoid such mistakes. The group's ties to the cybercriminal ecosystem are evidenced by its use of tools linked to known cybercrime groups, such as TrickBot, and the presence of PhantomRelay variants in unrelated cybercrime activities. Naming conventions and the deployment of XMRig miner on infected machines further indicate these connections. WithSecure assesses that GREYVIBE operates in a grey area between cybercrime and state-affiliated activities, complicating attribution efforts.