A Russia-linked threat group known as GREYVIBE, active since 2025, has been conducting cyber operations primarily targeting Ukraine using AI-assisted malware and multiple attack techniques. Although the group demonstrates persistence and adaptability, researchers note that its operations reveal a mix of espionage activity and cybercriminal behavior.
Security researchers at WithSecure have been monitoring GREYVIBE since at least August 2025. The group has launched campaigns against a wide range of targets, including military organizations, government agencies, civilian institutions, and businesses connected to Ukraine. While the group is not considered highly sophisticated, it compensates for its limitations by integrating artificial intelligence into its operations. Despite this, recurring operational mistakes have allowed investigators to gain valuable insights into its activities.
According to WithSecure, GREYVIBE employs a variety of attack methods, including spear-phishing emails, deceptive CAPTCHA pages, and fraudulent websites designed to lure victims. These campaigns are supported by custom-built malware, obfuscation tools, and delivery mechanisms. Researchers also identified overlapping infrastructure and techniques across related campaigns, suggesting a broader network of activity connected to the group.
The group’s operations are built around five main attack chains, each leveraging different tactics and payloads:
- PhantomMail relies on targeted phishing emails containing links to malicious archives hosted on platforms like Google Drive and 4sync. These archives deploy JavaScript loaders and a PowerShell-based remote access trojan known as PhantomRelay.
- PhantomClick uses fake CAPTCHA pages that imitate services such as Zoom and LAPAS. Victims are tricked into executing commands on their systems, which results in the installation of the same PhantomRelay malware.
- PrincessClub involves fraudulent Ukrainian-themed adult service websites that deliver malware depending on the user’s device. Mobile users may receive Android spyware called FallSpy, while desktop users are targeted with Windows-based remote access tools. More recent versions of these sites include live video communication features using WebRTC, enabling attackers to capture audio and video directly from victims.
- DroneLink uses websites posing as charitable organizations supporting Ukrainian military efforts. These sites deliver legitimate-looking software like WireGuard VPN paired with a lightweight remote access tool called LegionRelay.
- Nebo is particularly deceptive, using malware disguised as a Russian military login interface in an attempt to trick Ukrainian personnel into interacting with it as if it were a legitimate system.
The use of custom-developed malware complicates attribution efforts, as it avoids recognizable signatures typically associated with widely used cybercrime tools. GREYVIBE has taken this a step further by leveraging AI technologies to assist in code development, infrastructure management, and operational tasks. Researchers identified evidence of AI use in areas such as image creation, malware development using tools like ChatGPT and Google Gemini, obfuscation techniques, and command execution after system compromise. This integration of AI appears to be a core component of the group’s workflow rather than an occasional tool.
Despite aligning in part with Russian strategic interests, GREYVIBE does not consistently exhibit the level of discipline or sophistication expected from mature state-sponsored actors. Instead, its behavior suggests a hybrid nature, blending elements of organized cybercrime with state-aligned objectives. This overlap makes it difficult to clearly categorize the group or determine the exact nature of its relationship with government entities.
AI assistance has also introduced weaknesses. Flaws in the design of LegionRelay exposed backend functionality to researchers, and the group inadvertently uploaded development samples to VirusTotal while testing their tools. Additional indicators of poor operational security include the use of informal file naming conventions such as slang-filled labels and the deployment of cryptocurrency mining software like XMRig on some compromised systems, which is uncommon for disciplined intelligence operations.
Further analysis revealed links between GREYVIBE’s tools and known cybercriminal groups, including TrickBot and UAC-0098. Variants of the PhantomRelay malware were also observed in campaigns unrelated to Ukraine, such as voice-phishing attacks conducted via Microsoft Teams and other delivery chains seen in early 2026.
WithSecure concludes with moderate confidence that GREYVIBE is connected to the broader cybercrime ecosystem, possibly involving individuals with prior criminal affiliations. However, the exact relationship between the group and the Russian state remains uncertain. It could represent a loosely coordinated effort, a state-directed operation using independent actors, or a hybrid team blending both elements.
This hybrid model is not new, as there is a history of overlap between cybercriminal groups and state interests, particularly in geopolitical conflicts. What stands out in GREYVIBE’s case is the lack of operational polish. Its noticeable mistakes, reliance on AI-generated components, casual development practices, and side activities such as cryptocurrency mining suggest a group that is improvisational rather than highly structured.
Despite these shortcomings, GREYVIBE has managed to sustain ongoing cyber campaigns targeting Ukraine for an extended period. At the same time, its operational flaws have made it unusually transparent, allowing researchers to gain a detailed understanding of its methods, tools, and infrastructure.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
