A newly identified cyber threat group, known as GREYVIBE, has been actively conducting attacks on Ukraine and related entities since August 2025. This group is believed to be Russian-speaking, operating in alignment with Kremlin interests, primarily focusing on intelligence collection in the ongoing conflict between Russia and Ukraine, according to WithSecure.
Methods and Tools of GREYVIBE
GREYVIBE employs a range of sophisticated tactics to compromise targets. WithSecure has reported that the group uses spear-phishing emails, deceptive CAPTCHA pages, and fraudulent websites posing as Ukrainian adult clubs to deliver malware. Additionally, they utilize custom-developed obfuscators and loaders to infiltrate various sectors including military, government, and commercial organizations.
The group’s methods include deploying PhantomMail, which uses phishing emails to distribute malicious archives via platforms like Google Drive, and PhantomRelay, a PowerShell-based remote access trojan. Another tactic, PhantomClick, uses fake CAPTCHA pages to initiate infections, while PrincessClub mimics adult-club websites to spread spyware like FallSpy and remote access tools such as LegionRelay.
AI’s Role in Enhancing Cyber Threats
Evidence suggests GREYVIBE leverages generative AI and large language models to enhance its operations. Tools like OpenAI’s ChatGPT and Google Gemini are utilized to develop malware, create obfuscation scripts, and refine post-compromise strategies. This integration of AI accelerates their development processes and minimizes reliance on identifiable malware components, complicating attribution.
However, the use of AI has not been without its flaws. The development of LegionRelay has revealed design errors, highlighting potential gaps in GREYVIBE’s sophistication. These errors suggest that while the group benefits from AI’s capabilities, it still faces challenges typical of less experienced actors.
The Blurring Lines Between Cybercrime and State Operations
GREYVIBE’s activities reflect a complex relationship with the cybercrime ecosystem. Connections to known cybercriminal groups like TrickBot and visible patterns in unrelated cybercrime campaigns suggest a hybrid operation. This blending of state-directed and independent criminal activities poses challenges for attribution.
WithSecure assesses that while GREYVIBE operates with ties to broader cybercrime circles, the exact nature of its relationship with the Russian state remains ambiguous. The group’s operations inhabit a grey area, complicating traditional distinctions between state-backed hacking and criminal cyber activities.
In conclusion, the ongoing activities of GREYVIBE underline the evolving nature of cyber threats, where the convergence of state interests and cybercrime creates complex challenges for cybersecurity experts. As AI continues to play a significant role in these operations, understanding and mitigating these threats will remain a priority for affected nations and cybersecurity firms worldwide.
