- What: GREYVIBE, a Russian-speaking threat actor active since August 2025, deploys AI-assisted malware (
PhantomRelay,LegionRelay,FallSpy) against Ukrainian military, government, and civilian targets across five distinct attack chains. - Impact: Compromised Ukrainian military support networks, government entities, and civilian organizations; Android spyware captures audio/video via WebRTC; PowerShell RATs exfiltrate browser data and messaging app content.
- Fix / mitigation: Block PowerShell execution from archive files, enforce application whitelisting, deploy behavioral detection for ClickFix-style fake CAPTCHA prompts, and monitor for unauthorized RDP configuration changes.
- Who's at risk: Organizations with Ukraine-related operations; users of Zoom-impersonation and Ukrainian military support-themed domains; Android users targeted via fake charity and adult-club sites.
WithSecure has identified GREYVIBE, a previously undocumented Russian-speaking threat actor conducting persistent operations against Ukraine since August 2025. The group represents a concerning evolution in cyber warfare: a hybrid operation that combines state-aligned intelligence objectives with cybercriminal infrastructure and AI-assisted malware development. This combination challenges traditional attribution models and demonstrates how generative AI is lowering technical barriers for threat actors.
Operating within Russian time zones and targeting entities aligned with Kremlin intelligence priorities, GREYVIBE has compromised military, government, civilian, and business organizations connected to Ukraine. WithSecure assesses the group as low-to-moderately sophisticated, with operational security failures offset by extensive use of AI platforms including OpenAI ChatGPT, Google Gemini, and Ideogram AI for malware development, obfuscation, and infrastructure setup.
Five Attack Vectors, Multiple Payloads
GREYVIBE employs five distinct attack chains, each tailored to different victim profiles. PhantomMail uses spear-phishing emails with links to malicious ZIP or RAR archives hosted on Google Drive and 4sync. These archives contain JavaScript-based loaders that execute decoy documents while deploying PhantomRelay, a PowerShell-based remote access trojan designed for host profiling and command execution.
PhantomClick exploits the ClickFix technique through fake CAPTCHA pages on domains impersonating Zoom and LAPAS services. Users who follow prompts execute commands that initiate PhantomRelay infections. PrincessClub represents a more targeted approach, using fraudulent Ukrainian adult club websites to distribute FallSpy Android spyware and either PhantomRelayV1 or LegionRelay on Windows systems. Later iterations added WebRTC-based live call features to capture victim audio and video in real time.
The DroneLink campaign targets Ukrainian military support networks through fake charitable foundation websites supporting the Armed Forces of Ukraine, delivering WireGuard and LegionRelay. The Nebo campaign uses FallSpy samples that mimic Russian-language login screens, likely attempting to deceive Ukrainian military personnel into believing they accessed Russian military terminals.
AI-Assisted Development and Its Consequences
WithSecure identified clear evidence of AI platform usage across GREYVIBE operations. The group leveraged ChatGPT and Gemini for developing LegionRelay, a lightweight PowerShell RAT with capabilities including file enumeration and exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data extraction, and RDP access setup. AI platforms also generated obfuscation scripts, loader components, backend infrastructure, and post-compromise commands.
GREYVIBE's reliance on AI tools introduced design flaws into LegionRelay that exposed backend functionality. These mistakes suggest the group lacks the expertise typical of sophisticated nation-state actors and demonstrates that AI-generated code can create unexpected security weaknesses in attacker infrastructure.
The strategic advantages AI provides GREYVIBE include bridging technical expertise gaps, accelerating development cycles, and reducing reliance on known malware that facilitates attribution. By frequently generating, refactoring, or replacing operational components with AI assistance, the group makes traditional clustering methods based on stable technical artifacts less reliable. This represents a significant challenge for defenders accustomed to tracking threat actors through consistent tooling signatures.
Cybercriminal Connections and Attribution Challenges
Multiple indicators connect GREYVIBE to the broader Russian cybercrime ecosystem. The group demonstrates possible access to an ISO builder with suspected ties to the TrickBot gang and UAC-0098. PhantomRelay variants appeared across seemingly unrelated cybercrime campaigns, including a Microsoft Teams voice phishing operation from July 2025 to February 2026 and a KongTuke delivery chain from late February to late March 2026 using ClickFix distribution.
Operational security failures provide additional attribution clues. The group uploaded early development and test samples to VirusTotal, used internet slang terms like "letsrollboyos," "totallyunsus," and "cuteuwu" as naming conventions for development artifacts, and deployed XMRig cryptocurrency miners on a small number of LegionRelay-infected machines—behavior inconsistent with focused intelligence operations.
WithSecure assesses with moderate confidence that GREYVIBE has ties to cybercrime ecosystems and with low-to-moderate confidence involves current or former cybercriminal members. The exact relationship to the Russian state remains unclear—whether members were absorbed into state-backed groups, operate independently under state direction, or formed hybrid teams.
Implications for Defenders
GREYVIBE occupies the grey zone between cybercrime and state-affiliated activity, complicating attribution and blurring traditional threat categorization. This hybrid model may represent an emerging operational structure where states leverage cybercriminal talent and infrastructure for intelligence objectives while maintaining plausible deniability.
The group's AI adoption creates specific defensive challenges. Traditional threat intelligence methods relying on stable indicators of compromise become less effective when adversaries continuously regenerate tooling. Defenders must shift focus from static signatures to behavioral detection, infrastructure patterns, and operational tempo analysis.
Organizations with Ukraine-related operations should implement enhanced monitoring for the specific attack vectors GREYVIBE employs. This includes scrutinizing links in spear-phishing emails, educating users about fake CAPTCHA pages requesting command execution, blocking fraudulent domains impersonating legitimate services, and monitoring for PowerShell-based RAT behaviors including browser data access, messaging app targeting, and RDP configuration changes.
Recommendations
- Monitor for ClickFix-style social engineering attempts using fake CAPTCHA pages that prompt users to execute PowerShell commands
- Implement application whitelisting to prevent unauthorized JavaScript and PowerShell execution from archive files
- Deploy behavioral detection for PowerShell RAT indicators including browser credential access, messaging app data extraction, and unauthorized RDP configuration
- Scrutinize domains impersonating Ukrainian military support organizations, video conferencing platforms, and local services
- Enhance mobile device management policies to detect Android spyware like FallSpy attempting extensive data collection
- Train security teams to recognize AI-generated code patterns and potential design flaws in adversary tooling that may expose infrastructure
- Adjust threat intelligence processes to account for rapidly changing technical artifacts when tracking AI-assisted threat actors
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us