GREYVIBE APT Uses ChatGPT and Gemini to Target Ukraine

A previously undocumented Russian-speaking threat actor dubbed GREYVIBE has been conducting persistent cyberattacks against Ukraine since August 2025, leveraging generative AI platforms including ChatGPT and Google Gemini to develop malware and attack infrastructure.

Security researchers at WithSecure disclosed the campaign on May 29, attributing the group to operators working broadly in the Moscow time zone with activities aligning with Kremlin intelligence-gathering objectives.

Custom Malware Arsenal

GREYVIBE deploys several custom malware families against its targets:

PhantomRelay is a PowerShell-based remote access trojan (RAT) designed for host profiling and command execution. A variant called PhantomRelayV1 adds a custom watchdog persistence mechanism.

LegionRelay is a lightweight PowerShell RAT supporting file enumeration, data exfiltration, screenshots, browser data theft, Telegram and WhatsApp session theft, and RDP setup for hands-on-keyboard access.

FallSpy is Android spyware that harvests device data from mobile targets, expanding the group's collection capabilities beyond traditional endpoints.

The group's naming conventions—including handles like "letsrollboyos," "totallyunsus," and "cuteuwu"—suggest operators with an irreverent culture that stands in contrast to more disciplined state-backed operations.

AI-Assisted Attack Development

What distinguishes GREYVIBE from other threat actors is its documented use of commercial AI platforms. According to WithSecure's analysis, the group leverages:

• Ideogram AI for generating images used in phishing lures
• OpenAI ChatGPT for developing LegionRelay malware components
• Google Gemini for obfuscation scripts, loader development, and post-compromise command generation

This represents an evolution in how threat actors approach malware development—using publicly available AI tools to accelerate their operations rather than relying solely on manual coding or purchasing tools from underground markets.

Diverse Attack Vectors

GREYVIBE operates multiple concurrent campaigns with distinct delivery mechanisms:

1. PhantomMail: Spear-phishing emails containing malicious ZIP and RAR archives hosted on Google Drive and 4sync
2. PhantomClick: ClickFix-style fake CAPTCHA pages masquerading as Zoom or LAPAS (Latvian government portal)
3. PrincessClub: Fraudulent Ukrainian adult-club websites featuring WebRTC live call functionality
4. DroneLink: Campaigns using drone-related themes relevant to the ongoing conflict
5. Nebo: Fake charitable foundation websites claiming to support Ukrainian Armed Forces

The variety of delivery vectors reflects the AI-assisted approach—researchers believe the group uses generative AI to rapidly produce campaign infrastructure and themed content.

Targeting Profile

GREYVIBE's victimology spans Ukrainian military organizations, government entities, civilian infrastructure, and business targets. This broad targeting aligns with intelligence collection objectives rather than specific tactical goals, suggesting the group operates in a support role gathering information for other operations.

The group also deploys XMRig cryptocurrency miners on compromised machines, indicating potential financial motivations alongside their intelligence mandate—or simply monetizing access they don't otherwise need.

Attribution Challenges

WithSecure characterizes GREYVIBE as a "low-to-moderate sophistication group" plagued by operational security failures. Researchers found ties to the TrickBot gang and UAC-0098 through shared access to ISO builder tools, along with connections to the broader Russian cybercrime ecosystem through PhantomRelay variants appearing in unrelated campaigns.

The boundaries between cybercriminal and nation-state operations continue to blur. GREYVIBE exemplifies this hybrid model—a pattern we've seen accelerate throughout 2026 as states increasingly leverage criminal infrastructure for plausible deniability.

Why This Matters

The documented use of commercial AI platforms for malware development marks a shift in the threat landscape. While security researchers have warned about AI-assisted attacks for years, GREYVIBE provides concrete evidence of threat actors integrating these tools into their workflows.

For defenders, this means:

1. Faster iteration cycles - AI assistance lets attackers produce more variants and pivots than manual development
2. Lower skill barriers - Groups with moderate technical sophistication can produce increasingly capable tooling
3. Detection challenges - AI-generated code may lack the consistent patterns signature-based detection relies on

Organizations with exposure to the Russia-Ukraine conflict—including defense contractors, government agencies, NGOs, and media organizations—should review their threat models accordingly. For background on nation-state cyber operations, see our cybersecurity reading recommendations covering Russian cyber warfare.

Indicators of Compromise

WithSecure has published IOCs including C2 domains, malware hashes, and infrastructure details. Organizations should ingest these into their detection systems and hunt for historical compromise.

Security teams can track related threat intelligence through CISA's nation-state advisories for ongoing updates on Russian cyber activity targeting Western interests.