Unleashing Chaos: How GreyVibe Hackers Harness ChatGPT and Gemini for Cyberattacks

Russian Threat Group GreyVibe Utilizing AI in Cyberattacks

In the realm of cyber espionage, a group known as GreyVibe, believed to have ties to Russia, has been employing sophisticated AI-generated tactics to target a wide range of entities across various sectors, including military, government, civilian, and business. The group has been active since at least August 2025, with a focus on Ukrainian or Ukraine-related organizations, as uncovered by cybersecurity firm WithSecure earlier this year.

The connection to Russian interests is evident in the language used in malware panels, code comments, and the configuration of command-and-control (C2) servers to Moscow time (UTC+3). However, researchers have refrained from definitively categorizing GreyVibe as a nation-state operation.

GreyVibe has deployed a series of attack chains, each tailored to specific targets:

• PhantomMail: Spear-phishing emails delivering malicious attachments via Google Drive and 4sync links, masquerading as entities like the Ukrainian government, emergency services, and telecom companies.
• PhantomClick: Deceptive pages resembling Zoom and LAPAS sites trick victims into executing self-infecting commands.
• PrincessClub: Fake Ukrainian adult/dating websites distributing spyware and malware, utilizing fake personas and live calls for audio/video capture.
• DroneLink: Counterfeit military charity websites focusing on FPV drones and UAVs.
• Nebo: Bogus Russian military login pages designed to deceive Ukrainian military personnel.

WithSecure highlights the use of AI tools like ChatGPT, Ideogram AI, and Google Gemini in crafting convincing lures for these attacks, showcasing a new level of sophistication in cyber deception.

The use of AI extends beyond lures to the development of custom obfuscation tools like LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, aiding in the creation of malware such as LegionRelay and PhantomRelay, both PowerShell-based remote access trojans.

LegionRelay enables various malicious activities, including data theft, screenshot capture, and credential exfiltration from messaging apps. Meanwhile, PhantomRelay focuses on system reconnaissance and command execution.

GreyVibe’s utilization of FallSpy Android spyware in certain campaigns underscores its focus on intelligence gathering, collecting a wide array of data from infected devices.

While GreyVibe’s operations align with those of a nation-state, researchers note a lack of the precision typically associated with more mature threat actors. The presence of PhantomRelay in cybercrime activities hints at potential links to former or current cybercriminal elements within GreyVibe.

With uncertainties surrounding the group’s composition and intentions, organizations are advised to bolster their defenses using indicators of compromise (IoCs) provided by WithSecure to mitigate the risk posed by GreyVibe’s evolving tactics.

Automated pentesting tools serve a valuable purpose but may not adequately assess the effectiveness of your security controls. Learn about the 6 essential areas to validate to enhance your cybersecurity posture.

Download Now