New Russia-Linked GREYVIBE Strengthens Cyberattacks on Ukraine Using AI Tools

A newly identified threat actor, known as GREYVIBE, has been linked to a series of persistent cyberattacks targeting Ukraine and related entities since at least August 2025. This group is believed to have connections to Russian state interests, particularly in the context of intelligence-gathering efforts amid the ongoing Russo-Ukrainian war.

Overview of GREYVIBE’s Operations

According to WithSecure, GREYVIBE operates primarily in the Russian time zone and employs various attack vectors. These include spear-phishing emails, fake CAPTCHA pages, and fraudulent websites masquerading as Ukrainian adult clubs to distribute malware. The group’s activities align closely with Kremlin objectives, focusing on undermining Ukraine’s stability.

Mohammad Kazem Hassan Nejad, a researcher at WithSecure, noted that GREYVIBE has utilized custom-developed obfuscators, loaders, and malware across its campaigns. The group has targeted a wide range of victims, including military, government, civilian, and business organizations. Despite its affiliation with state-sponsored activities, GREYVIBE also appears to have ties to the broader Russian cybercrime ecosystem, with some members believed to be current or former cybercriminals.

Technical Sophistication and AI Utilization

GREYVIBE’s operations exhibit a blend of low-to-moderate sophistication, characterized by operational security lapses. Notably, there is evidence suggesting that the group employs generative artificial intelligence (GenAI) and large language models (LLMs) to enhance its cyber capabilities. This reliance on AI tools allows GREYVIBE to bridge gaps in technical expertise, accelerate development cycles, and reduce dependency on known malware that could facilitate attribution.

The group has been observed deploying multiple attack chains, including:

• PhantomMail: This method involves spear-phishing emails that lead to malicious ZIP or RAR archives hosted on platforms like Google Drive. These archives contain JavaScript-based loaders that initiate a decoy document, alongside the PowerShell-based remote access trojan (RAT) known as PhantomRelay.
• PhantomClick: This tactic utilizes ClickFix-style fake CAPTCHA pages on fraudulent domains that impersonate legitimate services like Zoom and LAPAS. The aim is to trick users into executing commands that trigger a PhantomRelay infection chain.
• PrincessClub: This approach leverages fake Ukrainian adult-club websites to deliver malware such as FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows. Subsequent iterations of these lure sites have introduced features like WebRTC-based live calls to capture victim audio and video.
• DroneLink: This method involves websites posing as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay.
• Nebo: This technique uses a FallSpy sample that mimics a Russian-language login screen, likely aimed at deceiving Ukrainian military personnel into believing they were accessing a legitimate Russian military terminal.

The diversity of delivery mechanisms and tools suggests that GREYVIBE is leveraging AI platforms for various tasks, including image generation, malware development, and backend infrastructure management.

Implications of AI in Cyber Operations

The integration of AI into GREYVIBE’s operations presents both advantages and challenges. While AI can enhance the efficiency and effectiveness of cyberattacks, it has also introduced design flaws into the group’s malware, exposing vulnerabilities in its backend functionality. This raises questions about the level of sophistication within GREYVIBE, as advanced adversaries typically avoid such operational missteps.

The group’s connections to the cybercriminal ecosystem are underscored by several factors:

• Potential access to an ISO builder linked to the TrickBot gang and UAC-0098.
• The presence of PhantomRelay variants in various unrelated cybercrime activities, including a Microsoft Teams phishing campaign and a KongTuke delivery chain.
• Uploading early development samples to VirusTotal.
• The use of internet slang in naming conventions for development artifacts.
• The deployment of XMRig miners on a limited number of infected machines.

WithSecure assesses that GREYVIBE likely has ties to the broader cybercrime ecosystem, with a moderate level of confidence that it includes current or former cybercriminal members. The exact nature of their relationship with the Russian state remains ambiguous, raising questions about whether these individuals operate independently, under state direction, or as part of a hybrid team.

Conclusion

The emergence of GREYVIBE highlights the evolving landscape of cyber threats, particularly in the context of geopolitical tensions. The group’s blend of state-sponsored objectives and cybercriminal affiliations complicates attribution efforts and blurs the lines between traditional categories of cyber activity. As cyber warfare continues to escalate, the implications of such hybrid threats will be felt across various sectors, necessitating heightened vigilance and adaptive security measures.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.