Targeting Ukraine with Multiple Attack Vectors
A newly identified threat actor named GREYVIBE has been conducting persistent cyberattacks against Ukrainian military, government, civilian, and business organizations since at least August 2025. Security researchers at WithSecure assess that the group operates from within Russian time zones and aligns its activities with Kremlin state interests, particularly intelligence gathering related to the ongoing war in Ukraine.
The group employs a diverse set of attack methods. These include spear-phishing emails, fake CAPTCHA verification pages, and fraudulent websites mimicking Ukrainian adult clubs. Through these vectors, GREYVIBE delivers custom malware using its own obfuscators and loaders. Two primary attack chains have been documented: PhantomMail distributes malicious archives containing JavaScript loaders via email, while PhantomClick uses ClickFix style fake CAPTCHA pages on domains spoofing legitimate services like Zoom.
AI-Assisted Operations and Cybercrime Ties
GREYVIBE has adopted generative artificial intelligence and large language models to enhance its malware development capabilities. Despite this advanced tooling, researchers describe the group as low-to-moderately sophisticated, noting operational security lapses. The group shows connections to the broader Russian cybercrime ecosystem, with some members believed to be current or former cybercriminal actors.
The PhantomRelay component of GREYVIBE’s toolkit is a PowerShell based remote access trojan that profiles infected hosts and can execute arbitrary PowerShell scripts and Windows commands. This combination of AI powered development tools, traditional phishing tactics, and links to criminal networks makes GREYVIBE a notable evolving threat in the ongoing cyber conflict surrounding Ukraine.
Source: The Hacker News
