Key Takeaways

- GreyVibe has run a 10-month cyberespionage campaign targeting Ukrainian organizations using AI-generated content and malware
- The group uses ChatGPT, Gemini, and Ideogram AI to create phishing lures, fake websites, and custom hacking tools
- AI-generated code leaves detectable patterns that security researchers can use to track threat actors
AI as a Force Multiplier for Cyberespionage
A threat group with likely ties to Russia has turned commercial AI tools into weapons. The group, tracked as GreyVibe by cybersecurity firm WithSecure, has been using ChatGPT, Google Gemini, and image generator Ideogram AI to power a cyberespionage campaign against Ukrainian targets since at least August 2025.
WithSecure discovered the activity in January 2026. The researchers found that GreyVibe uses AI not just for writing phishing emails, but for building custom malware, creating realistic fake websites, and generating visual content that makes their lures more convincing.
“The use of AI is clearly lowering the barrier to entry, enabling actors with low-to-moderate technical skill to execute persistent and complex cyberespionage campaigns at scale.”
— WithSecure Research Team
The link to Russian-speaking operators comes from several technical indicators. The malware control panels use Russian language. Code comments are written in Russian. And the command-and-control servers are configured to Moscow time (UTC+3). WithSecure stopped short of calling it a nation-state operation, but noted the campaign aligns with Russian state interests.
Five Attack Chains, One Playbook
GreyVibe runs multiple attack campaigns simultaneously, each with a distinct approach. WithSecure identified five primary attack chains:
- PhantomMail: Spear-phishing emails with malicious ZIP or RAR files delivered through Google Drive and 4sync links. The emails impersonate Ukrainian government, emergency services, telecom, and energy organizations.
- PhantomClick: Fake CAPTCHA pages disguised as Zoom and LAPAS sites. Victims are tricked into running self-infecting commands through fake Cloudflare verification prompts.
- PrincessClub: Fake Ukrainian adult and dating websites that deliver Android spyware (FallSpy) and Windows malware (PhantomRelay, LegionRelay). The operators created fake female Telegram personas and later added WebRTC video calls to capture victims' audio and video.
- DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs. These share infrastructure with the PrincessClub campaigns.
- Nebo: Fake Russian military communications login pages designed to trick Ukrainian military personnel into thinking they're accessing a Russian military terminal.

AI-Built Malware and Obfuscation Tools
The AI assistance goes beyond content creation. WithSecure found that GreyVibe likely used large language models to develop several custom tools. These include LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all obfuscation tools designed to hide malicious code from security software.
The group's primary weapon is LegionRelay, a PowerShell-based remote access trojan that WithSecure believes was built with AI assistance. LegionRelay can steal files, capture screenshots, grab browser credentials, extract data from Telegram and WhatsApp, and set up remote desktop access for the attackers.
A second RAT called PhantomRelay handles system fingerprinting and dynamic script loading. Both tools give GreyVibe persistent access to compromised systems.

AI Leaves a Trail
Here's the twist. The same AI tools that make GreyVibe more productive also make them easier to track. Security researchers identified distinct patterns in AI-generated code and images that function like a digital fingerprint.
Discussion on Reddit's r/cybersecurity and Hacker News has focused on these "AI-native" error patterns. Multiple security professionals noted that while AI speeds up attack development, the structural quirks in AI-generated content give defenders new ways to identify automated attacks.
WithSecure tracked GreyVibe for nearly a year by exploiting these patterns. The group's heavy reliance on AI-generated infrastructure created unique flaws that researchers could follow across campaigns.
Logicity's Take
What Organizations Should Watch For
GreyVibe's tactics offer a preview of what AI-enhanced attacks look like in practice. The quality of their phishing content is notably high. Emails and websites look professional. The decoy documents are convincing. The fake CAPTCHA pages could fool trained users.
Organizations connected to Ukraine or Ukrainian interests should treat this as an active threat. But the techniques GreyVibe uses will spread. Other groups will adopt similar AI-assisted methods. Security teams everywhere should prepare for phishing campaigns that look more polished and vary more rapidly than traditional attacks.
Frequently Asked Questions
What is GreyVibe?
GreyVibe is a likely Russian threat group discovered by WithSecure that uses AI tools like ChatGPT and Gemini to conduct cyberespionage against Ukrainian organizations. The group has been active since at least August 2025.
How do hackers use ChatGPT for cyberattacks?
GreyVibe uses ChatGPT and similar AI tools to write convincing phishing emails, create fake websites, generate realistic visual content, and develop custom malware and code obfuscation tools.
Can AI-generated malware be detected?
Yes. AI-generated code and content often contain distinctive patterns or structural quirks that security researchers can identify. WithSecure tracked GreyVibe for nearly a year by exploiting these AI fingerprints.
Who is being targeted by GreyVibe?
GreyVibe primarily targets Ukrainian or Ukraine-related organizations across military, government, civilian, and business sectors. Their phishing campaigns impersonate Ukrainian government agencies, energy companies, and telecom providers.
What malware does GreyVibe use?
The group uses several custom tools including LegionRelay and PhantomRelay (PowerShell RATs), FallSpy (Android spyware), and multiple code obfuscators (LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP).
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
SD-WAN Security Flaw: What CEOs Must Do by Friday
CISA has flagged an actively exploited vulnerability in Cisco's SD-WAN Manager, giving federal agencies just four days to patch. For enterprises running Cisco SD-WAN infrastructure, this isn't just a government mandate. It's a wake-up call about network security debt that could cost millions in breach response.

Apache ActiveMQ Vulnerability: 6,400 Servers at Risk
A critical 13-year-old security flaw in Apache ActiveMQ is now being actively exploited, putting over 6,400 enterprise message brokers at immediate risk. For businesses running Java applications, this vulnerability could mean unauthorized code execution on your servers. CISA has ordered federal agencies to patch by April 30, signaling the severity of this threat.

KelpDAO Hack: $290M Crypto Heist Hits DeFi Protocols
North Korean state hackers allegedly stole $290 million from KelpDAO by exploiting cross-chain verification systems. The attack forced major lending protocols including Aave to freeze operations, raising urgent questions about DeFi security for institutional investors.

Seiko USA Breach 2026: What E-Commerce Leaders Must Know
The Seiko USA website defacement exposes critical vulnerabilities in Shopify-based retail operations. This attack demonstrates how threat actors are increasingly targeting brand-name companies through their e-commerce platforms, with potential customer data exposure and ransom demands creating both financial and reputational risks for businesses of all sizes.



