A previously undocumented threat actor known as GREYVIBE is believed to have been conducting sustained and persistent attacks targeting Ukraine and Ukrainian-affiliated entities since at least August 2025.
According to WithSecure, GREYVIBE is assessed to be a Russian-speaking group widely active in the Russian time zone and whose activities are in line with the Kremlin’s national interests, particularly when it comes to intelligence-gathering activities targeting Ukraine in the context of the ongoing Russia-Ukraine war.
“The group utilized multiple attack vectors, including spear-phishing emails, fake capture pages, and fraudulent Ukrainian adult club websites, to deliver malware to various victims,” WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. “Throughout these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware.”
The footprint of victims spans military, government, civilian, and business organizations. Despite its state-related operations, GREYVIBE also shares ties to the broader Russian cybercrime ecosystem through some of its members who are believed to be current or former cybercriminals.
Additionally, there is evidence that threat actors are relying on generative artificial intelligence (GenAI) and large-scale language models (LLM) to enhance their operations. Taken together, WithSecure paints a picture of a “low-to-moderate sophistication group” plagued by operational security failures and leveraging AI-assisted tools to enhance their malware development efforts.
GREYVIBE has been observed using multiple attack chains against its targets –
PhantomMail uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive, 4sync, which contains a JavaScript-based loader that launches decoy documents, and PhantomRelay, a PowerShell-based remote access Trojan (RAT) designed to profile hosts and execute PowerShell scripts and Windows commands. PhantomClick uses fake ClickFix-style CAPTCHA pages on fake domains disguised as Zoom or LAPAS to trick users into executing commands that start the PhantomRelay infection chain. PrincessClub uses a fake Ukrainian adult club website to distribute FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows. Subsequent iterations of this decoy site have introduced WebRTC-based live calling functionality to capture audio and video of victims. FallSpy is an Android spyware that can collect sensitive data from compromised devices, while LegionRelay is a lightweight PowerShell-based RAT that supports file enumeration, file extraction, screenshot capture, browser data theft, Telegram and WhatsApp data extraction, and RDP access setup. PhantomRelayV1 is a variant of PhantomRelay with a custom watchdog persistence mechanism. DroneLink distributes WireGuard and LegionRelay using a website masquerading as a charitable foundation supporting the Ukrainian Armed Forces. Nebo uses a FallSpy sample that mimics a Russian login screen, likely intended to trick Ukrainian military personnel into thinking they are accessing a Russian military device.
The various delivery vectors and tools used in the attack likely stem from the use of AI platforms such as Ideogram AI, OpenAI ChatGPT, and Google Gemini to help generate images and develop LegionRelay, as well as obfuscated and loader scripts, backend infrastructure, and post-compromise commands.
The cybersecurity company says GREYVIBE’s use of AI has multiple benefits, including bridging gaps in technical expertise, accelerating development lifecycles, and reducing dependence on known malware and tools to aid attribution efforts.
“Traditional clustering techniques based on stable technical artifacts can become less reliable over time if adversaries are able to frequently generate, refactor, or replace components of their operational footprint with AI assistance,” Nejad said.
However, the use of AI also had the side effect of introducing a design flaw in LegionRelay and exposing the backend functionality of the malware. This is another sign that GREYVIBE may not be a pure nation-state actor, as a sophisticated adversary would be unlikely to make such a mistake.
The link between hacking groups and the cybercrime ecosystem is based on multiple factors.
Possible access to and use of ISO builders with suspected ties to the TrickBot gang and UAC-0098 PhantomRelay variants present across seemingly unrelated clusters of cybercriminal activity, including Microsoft Teams voice phishing campaigns from July 2025 to February 2026 and the KongTuke delivery chain that used ClickFix to distribute malware. Uploading initial development and test samples to VirusTotal Use Internet slang terms such as “letsrollboyos,” “totallyunsus,” and “cuteuwu” as a naming convention for development artifacts. Deploying the XMRig miner to a small number of machines infected with LegionRelay
“Overall, we assess with medium confidence that this group has ties to the broader cybercriminal ecosystem, and with low to medium confidence that current or former cybercriminal members are involved,” WithSecure said. “The exact nature of their relationship with the Russian state remains unclear, whether such members have been absorbed into state-backed groups, operate independently under state-led missions, or form hybrid teams.”
“This group occupies a gray area between cybercrime and state-related activity, complicating attribution efforts and blurring traditional distinctions between these categories.”
Source link
