A previously undocumented threat actor dubbed GREYVIBE has carried out persistent attacks against Ukraine and Ukraine-related entities since at least August 2025, with WithSecure assessing the group is Russian-speaking and aligned with Kremlin interests.
KEY FACTS
- Targeting Military, government, civilian and business organizations linked to Ukraine.
- Delivery methods Spear-phishing, fake CAPTCHA pages and fraudulent websites.
- Malware PhantomRelay, LegionRelay, FallSpy, WireGuard and XMRig were observed in different chains.
- AI use The report says the group appears to have used tools such as ChatGPT, Gemini and Ideogram AI.
In a technical analysis from WithSecure, the company said the group used several attack chains, including one that sent victims malicious ZIP or RAR archives through cloud storage links and another that relied on fake CAPTCHA pages to trigger infection.
Other activity used bogus Ukrainian adult-club websites to deliver Android spyware and PowerShell-based remote access tools, while a separate set of sites posed as charitable groups supporting the Armed Forces of Ukraine to spread additional malware. The report also described a lure that mimicked a Russian-language login screen.
The disclosure said the group’s tooling appears to have been built with help from generative AI, which may have sped up image creation, obfuscation, loader scripts and post-compromise commands. It also noted that the same use of AI introduced design flaws in LegionRelay that exposed parts of the backend.
WithSecure linked the operation to the broader Russian cybercrime ecosystem through signs that include shared malware variants, early test samples on VirusTotal, slang-based development names and a small number of infected systems running an XMRig miner. The company said the relationship to the Russian state remains unclear.
WHY IT MATTERS
The case shows how phishing, fake websites and AI-assisted development can be combined in campaigns that are harder to cluster and attribute. It also highlights the blurred line between state-linked activity and cybercrime in attacks focused on Ukraine.