Back

GreyVibe Cyber Espionage Campaign Targets Ukraine Using AI Tools

Severity: High (Score: 70.2)

Sources: Bleepingcomputer, Theregister, labs.withsecure.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: greyvibe, tools, used, military, government, using, malware

Severity indicators: malware, government, military

Summary

The GreyVibe threat group, likely linked to Russian interests, has been conducting cyber espionage against Ukrainian military and government entities since August 2025. Utilizing AI tools like ChatGPT and Google Gemini, they have crafted sophisticated spear-phishing lures and developed custom malware, including LegionRelay and PhantomRelay. The group has executed multiple campaigns, employing methods such as fake CAPTCHA pages and bogus adult websites to deliver malware. Their operations have shown a mix of operational errors, including uploading malware to public platforms, indicating a lack of sophistication typically associated with state-sponsored actors. WithSecure reported that the group’s activities are consistent with espionage but exhibit signs of cybercriminal behavior. The impact is primarily on Ukrainian organizations, with a focus on military and governmental sectors. Current assessments indicate ongoing activity with no immediate resolution in sight. Key Points: • GreyVibe has targeted Ukrainian military and government sectors since August 2025. • AI tools have been extensively used for crafting lures and developing malware. • The group exhibits operational security flaws, suggesting a mix of state and cybercriminal tactics.

Detailed Analysis

**Impact** The campaign has targeted Ukrainian military, government, civilian, and business sectors since at least August 2025, with confirmed victims including Ukrainian combatants in Kharkiv. The operation risks exposure of sensitive military and governmental data, including communications and credentials, as well as personal information from Android devices. The use of spyware and RATs enables theft of call logs, device data, and remote access, potentially disrupting operational security and intelligence confidentiality. **Technical Details** Attack vectors include spear-phishing emails with malicious archives, fake CAPTCHA pages, and deceptive websites impersonating Ukrainian entities and adult clubs. Malware used comprises PowerShell-based RATs PhantomRelay and LegionRelay, Android spyware FallSpy, and custom obfuscators like LOOKVALPS and DAYLIGHT, with AI-assisted development. Infrastructure includes C2 servers operating in the Moscow time zone (UTC+3), shared across campaigns such as PrincessClub and DroneLink. The kill chain involves initial phishing, payload execution with decoy content, post-compromise data exfiltration, and remote control. No CVEs exploited were specified. IOCs are available from WithSecure but not detailed here. **Recommended Response** Defenders should deploy indicators of compromise provided by WithSecure to detect and block phishing domains, malicious payloads, and C2 communications. Harden email gateways against spear-phishing and implement user training on suspicious links and attachments. Monitor PowerShell execution and network traffic for anomalous connections to known C2 infrastructure. Maintain updated endpoint detection and response tools to identify and quarantine RAT and spyware activity. No specific patching guidance was provided.

Source articles (3)

  • GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — Bleepingcomputer · 2026-05-28
    A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sector…
  • Greyvibe — labs.withsecure.com · 2026-05-28
    This blog post summarises key topics from WithSecure’s full report , which covers our investigation and findings in substantially greater depth. GREYVIBE has used several delivery approaches. We group…
  • Russia — Theregister · 2026-05-29
    Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government Russia-linked cyber espionage crews appear to be using AI tools to help build malware, s…

Timeline

  • 2025-08-01 — GreyVibe campaign begins: The GreyVibe group initiates cyber espionage activities targeting Ukrainian entities.
  • 2025-10-01 — Fake CAPTCHA pages used: GreyVibe experiments with fake CAPTCHA pages for malware delivery, targeting Ukrainian users.
  • 2026-03-01 — Drone-themed lures introduced: GreyVibe launches campaigns using drone-themed charity lures to target victims in Ukraine.
  • 2026-05-28 — WithSecure report published: WithSecure releases a detailed report on GreyVibe's tactics, tools, and operational behaviors.
  • 2026-05-29 — Ongoing monitoring of GreyVibe: Researchers continue to monitor GreyVibe's activities as they evolve their tactics and tools.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Trojan (Attack Type)
  • DroneLink (Campaign)
  • Nebo (Campaign)
  • PhantomClick (Campaign)
  • PhantomMail (Campaign)
  • PrincessClub (Campaign)
  • Kyiv City Council (Company)
  • Main Directorate Of The State Emergency Service Of Ukraine (Company)
  • State Service Of Special Communications And Information Protection Of Ukraine (Company)
  • WireGuard (Company)
  • Russia (Country)
  • Ukraine (Country)
  • Energy (Industry)
  • Government (Industry)
  • FallSpy (Malware)
  • LegionRelay (Malware)
  • PhantomRelay (Malware)
  • PhantomRelayLite (Malware)
  • PhantomRelayV1 (Malware)
  • T1021.001 - Remote Desktop Protocol (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1082 - System Information Discovery (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Android (Platform)
  • Windows (Platform)
  • ChatGPT (Platform)
  • Google Gemini (Platform)
  • Daylight (Tool)
  • Google's Gemini (Tool)
  • Ideogram AI (Tool)
  • Lookvaljs (Tool)
  • Lookvalps (Tool)
  • OpenAI's ChatGPT (Tool)
  • PowerShell (Tool)
  • Teasoup (Tool)
  • Zapixdesk (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed