Cybersecurity researchers have uncovered a previously undocumented threat group called GreyVibe that has been systematically using generative artificial intelligence tools to support cyberattacks targeting Ukraine since at least August 2025. Researchers say the operation offers a glimpse into how future state-aligned hacking campaigns may increasingly rely on AI to accelerate development and expand capabilities.
The group was identified by researchers at WithSecure, who describe GreyVibe as a Russia-linked threat actor focused on Ukrainian military, government, civilian, and business organizations. Investigators said the group’s activities closely align with Russian strategic interests related to the ongoing war in Ukraine. At the same time, researchers noted evidence suggesting some members may have backgrounds in cybercrime rather than traditional state intelligence operations.
According to the report, GreyVibe extensively used AI platforms including ChatGPT, Google Gemini, and Ideogram AI across multiple stages of its operations. Researchers found evidence that AI assisted with phishing lure creation, fake website development, malware coding, obfuscation tools, command-and-control infrastructure setup, and post-compromise activities.
The group employed several attack methods to infect targets. These included spear-phishing campaigns delivering malicious ZIP and RAR archives through file-sharing services, fake CAPTCHA pages, and fraudulent websites disguised as Ukrainian adult clubs. Victims were often redirected through convincing decoy content while malware was silently installed in the background.
Researchers identified multiple malware families linked to GreyVibe, including PhantomRelay and LegionRelay, two custom remote access trojans used to steal data and maintain access to compromised systems. LegionRelay reportedly supports browser credential theft, screenshot collection, file exfiltration, remote desktop access, and extraction of messaging platform data from Telegram and WhatsApp.
GreyVibe also deployed Android spyware known as FallSpy in certain campaigns. The malware is designed for intelligence gathering and can collect contacts, call logs, location information, SIM card details, network data, and media files stored on infected devices.
Despite its aggressive operations, researchers characterized GreyVibe as only low-to-moderately sophisticated. WithSecure said the group repeatedly made operational security mistakes and appeared heavily dependent on AI-generated code. One flaw in LegionRelay reportedly allowed researchers to monitor parts of the group’s infrastructure and observe victim targeting behavior over an extended period.
Investigators also discovered indicators linking the group to the broader cybercrime ecosystem. These included the use of malware-building tools associated with former TrickBot-linked actors, uploads of development samples to public scanning platforms, and isolated deployments of cryptocurrency mining software on infected systems. Researchers said the findings suggest GreyVibe may involve current or former cybercriminals working in support of Russian state objectives.
While researchers have not definitively connected GreyVibe to any previously known threat group, they warn the operation highlights how generative AI is lowering technical barriers for cybercriminal and state-aligned actors alike. By using AI to automate development, create fresh infrastructure, and generate new malware, groups with limited resources can rapidly expand their operational capabilities while making attribution more difficult.