GreyVibe hackers use ChatGPT, Gemini to power cyber attacks

A potential Russian threat group tracked as GrayVibe has been using AI-generated malware and a rich set of custom malware tools to target organizations in the military, government, civilian, and business sectors.

The cyberespionage campaign has been active since at least August 2025 and appears to be aligned with the interests of the Russian state, although researchers cannot confidently classify it as a state operation.

Cybersecurity company WithSecure got a job in January this year and decided to focus on organizations related to Ukraine or Ukraine.

The link to the Russian-speaking threat actor is supported by the language of the malware panels, comments in code artifacts, and command and control (C2) server time configured to UTC+3 (Moscow time).

According to researchers, GreyVibe used multiple attack chains against its targets, including:

• PhantomMail: Phishing emails that deliver malicious ZIP/RAR archives via Google Drive and 4sync links, using deceptive PDFs or fake errors while sending the malware. The targets were Ukrainian government, emergency, telecom, and energy organizations.
• PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites that lure victims to run self-delete commands with fake Cloudflare confirmation notifications.
• PrincessClub: Fake Ukrainian adult/dating websites that deliver FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. Operators used fake Telegram women and later added WebRTC-based live calls that could capture audio/video of the victim.
• DroneLink: Fake Ukrainian military organization websites themed around FPV drones and UAVs share infrastructure and tools with PrincessClub campaigns.
• Nebo: Fake “СПО НЕБО” Russian military communications login pages were likely designed to trick the Ukrainian military into believing they were accessing a Russian military base.

The variety and quality of these ports is remarkable, and WithSecure says this is the result of using multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and realistic content for support.

The use of AI extends to tool design as well, the researchers mentioned LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all custom icons that can be created with the help of LLM.

A PowerShell-based remote access trojan called LegionRelay may also have been developed with the help of AI tools, researchers said.

LegionRelay supports file theft, screenshot capture, stealing browser credentials, Telegram and WhatsApp data extraction, and setting up RDP access.

Another malware used by GreyVibe is PhantomRelay, which is also a PowerShell RAT. The malware supports system fingerprinting, dynamic script loading, and PowerShell and Windows command execution.

Finally, the hackers used the FallSpy Android spy in the PrincessClub and Nebo campaigns, which is designed only to gather intelligence.

The malware collects contact lists, call logs, device and network information, location data, media files, and SIM information.

WithSecure notes that while GreyVibe’s work is consistent with state operations, the threat actor “lacked the level of expertise and operational discipline typically associated with mature state actors.”

In addition, the PhantomRelay malware has been observed in cybercriminal activity, although researchers cannot distinguish its use from state-related activities. This has led researchers to believe that GreyVibe may include “current or former cybercriminal actors.”

Other evidence pointing to this theory includes early use and test samples of a different ISO builder associated with a group of former TrickBot members (UAC-0098) that targeted Ukraine at the start of the Russian invasion.

In addition, the threat actor uploaded development and testing samples to a public scanner, which is not common for state actors. Additionally, a cryptocurrency miner was planted on some of the victims’ machines.

The researchers are unsure “whether former or current cybercriminals are included in a government-sponsored group, operate independently but with a government-directed mission, or form a mixed group that includes members of the state and cybercriminals.”

Organizations can set up defenses against GreyVibe’s malicious activity by using indicators of compromise (IoCs) provided by WithSecure.