Back

GREYVIBE: AI-Driven Cyberattacks Targeting Ukraine by Russian Hackers

Severity: High (Score: 72.6)

Sources: Dev.Ua, Securityaffairs.Co, Theregister, Gbhackers, labs.withsecure.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: greyvibe, tools, used, military, government, using, malware

Severity indicators: malware, government, military

Summary

The GREYVIBE group, a previously unknown Russian hacking entity, has been actively targeting Ukrainian military, government, and civilian sectors since August 2025. Utilizing sophisticated AI tools like ChatGPT and Google Gemini, GREYVIBE has executed multiple campaigns involving spear-phishing emails, fake CAPTCHA pages, and fraudulent adult websites to deliver malware. Key malware tools include PhantomRelay, LegionRelay, and FallSpy, which facilitate espionage and data theft. The group has shown a blend of state-sponsored and cybercriminal tactics, indicating a lack of operational discipline. Despite their advanced use of AI, GREYVIBE has made significant operational security mistakes, exposing parts of their infrastructure. Their activities align closely with Russian state interests, particularly in the context of the ongoing conflict with Ukraine. Key Points: • GREYVIBE has targeted Ukrainian entities since August 2025 using AI-generated lures. • The group employs malware like PhantomRelay and FallSpy for espionage and data theft. • Despite advanced tactics, GREYVIBE's operational security is compromised by significant mistakes.

Detailed Analysis

**Impact** The campaign has targeted Ukrainian military, government, civilian, and commercial sectors since at least August 2025, with confirmed victims including combatants in Kharkiv. The group’s operations have compromised sensitive communications, credentials, and intelligence data, including audio and video recordings, call logs, and location information. The scope spans multiple Ukrainian entities such as Kyiv City Council, energy companies, and emergency services, affecting thousands of individuals and organizations involved in the ongoing conflict. **Technical Details** Attack vectors include spear-phishing emails (PhantomMail), fake CAPTCHA verification pages (PhantomClick), fake Ukrainian adult club websites (PrincessClub), and charity-themed lures (DroneLink). Malware used includes PowerShell-based RATs LegionRelay and PhantomRelay, Android spyware FallSpy, and custom obfuscators like LOOKVALPS, DAYLIGHT, and TEASOUP. The group employs AI tools (ChatGPT, Google Gemini, Ideogram AI) for lure creation, malware development, and infrastructure setup. Infrastructure uses C2 servers configured to Moscow time (UTC+3). Kill chain stages covered range from initial access to credential theft, data exfiltration, and remote control. No specific CVEs were reported. Indicators of compromise (IoCs) are available from WithSecure. **Recommended Response** Deploy detection rules for PowerShell-based RAT activity and monitor network traffic for connections to known GREYVIBE C2 domains and IPs. Harden email gateways against spear-phishing and block file-sharing service links used in lures. Implement multi-factor authentication and monitor for anomalous access patterns, especially RDP sessions. Use provided IoCs from WithSecure to update endpoint and network defenses. No specific patches are identified; focus on detection and containment.

Source articles (6)

  • GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — Bleepingcomputer · 2026-05-28
    A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sector…
  • Greyvibe — labs.withsecure.com · 2026-05-28
    This blog post summarises key topics from WithSecure’s full report , which covers our investigation and findings in substantially greater depth. GREYVIBE has used several delivery approaches. We group…
  • GREYVIBE Threat Actors Use ChatGPT and Google Gemini to Scale Cyberattack Operations — Gbhackers · 2026-05-29
    Threat actors are increasingly turning to generative AI tools such as ChatGPT and Google Gemini to accelerate cyberattack operations, lowering technical barriers and reshaping modern threat landscapes…
  • Russia — Theregister · 2026-05-29
    Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government Russia-linked cyber espionage crews appear to be using AI tools to help build malware, s…
  • European cyber experts have discovered a new Russian hacker group, GREYVIBE, which is ... — Dev.Ua · 2026-05-29
    Cybersecurity analysts have identified a previously unknown Russian hacking group called GREYVIBE, which has been continuously attacking Ukraine for almost a year. Its activities align with the Kremli…
  • Meet GREYVIBE, the Russia — Securityaffairs.Co · 2026-05-29
    GREYVIBE, a Russia-linked group active since 2025, targets Ukraine with AI-assisted malware and five attack chains. Researchers say it’s part spy op, part crime gang. Security firm WithSecure has been…

Timeline

  • 2025-08-01 — GREYVIBE begins operations: The GREYVIBE group starts targeting Ukrainian organizations, focusing on military and government sectors.
  • 2025-10-01 — First use of fake CAPTCHA pages: GREYVIBE experiments with fake CAPTCHA pages for malware delivery, targeting victims with deceptive lures.
  • 2026-03-01 — DroneLink campaign launched: The group initiates the DroneLink campaign, using drone-themed lures to target victims.
  • 2026-05-29 — WithSecure report published: WithSecure releases a comprehensive report detailing GREYVIBE's operations and use of AI in cyberattacks.

Related entities

  • Greyvibe (Apt Group)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Trojan (Attack Type)
  • DroneLink (Campaign)
  • Nebo (Campaign)
  • PhantomClick (Campaign)
  • PhantomMail (Campaign)
  • PrincessClub (Campaign)
  • Kyiv City Council (Company)
  • Main Directorate Of The State Emergency Service Of Ukraine (Company)
  • State Service Of Special Communications And Information Protection Of Ukraine (Company)
  • WireGuard (Company)
  • Russia (Country)
  • Ukraine (Country)
  • Energy (Industry)
  • Government (Industry)
  • FallSpy (Malware)
  • LegionRelay (Malware)
  • PhantomRelay (Malware)
  • PhantomRelayLite (Malware)
  • PhantomRelayV1 (Malware)
  • T1021.001 - Remote Desktop Protocol (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1082 - System Information Discovery (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
  • Telegram (Platform)
  • WhatsApp (Platform)
  • Windows (Platform)
  • Zoom (Platform)
  • ChatGPT (Platform)
  • Google Gemini (Platform)
  • Daylight (Tool)
  • Gemini (Tool)
  • Google's Gemini (Tool)
  • Ideogram AI (Tool)
  • Lookvaljs (Tool)
  • Lookvalps (Tool)
  • OpenAI's ChatGPT (Tool)
  • PowerShell (Tool)
  • Teasoup (Tool)
  • Zapixdesk (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed