Security researchers have identified a new hacking group known as GREYVIBE, suspected of conducting sustained cyber operations against Ukraine and associated targets since at least August 2025.
According to WithSecure’s findings, GREYVIBE is likely a Russian-speaking operation running during standard Russian business hours. Its actions fit with Kremlin objectives, particularly regarding intelligence collection on Ukraine amid the continuing conflict between Russia and Ukraine.
The team has employed various methods to infect targets. These include targeted phishing emails, counterfeit CAPTCHA verification pages, and sham Ukrainian adult entertainment sites. The researchers noted that the group consistently uses its own custom anti-analysis tools, malicious loaders, and spyware across these operations.
Its targets have included military, government, civilian, and commercial organizations. While activities suggest state-aligned goals, there are indications that GREYVIBE also connects to Russia’s underground cybercrime networks—some of its individuals may have prior or ongoing involvement in cybercrime.
Researchers also discovered signs that this group uses generative AI and large language models to boost its capabilities. Overall, WithSecure describes GREYVIBE as a “low-to-moderately sophisticated operation” prone to mistakes in operational security, yet leveraging AI-powered tools to improve its malware creation process.
GREYVIBE has been seen using several different attack methods –
- PhantomMail: Sends phishing emails with links to harmful ZIP or RAR files stored on Google Drive and 4sync, which then execute JavaScript-based loaders alongside a harmless-looking document, and deploy PhantomRelay—a PowerShell-based remote access trojan (RAT) that profiles the system and executes PowerShell scripts and Windows commands.
- PhantomClick: Uses fake “ClickFix”-style CAPTCHA prompts on spoofed domains that look like Zoom and LAPAS. Victims are tricked into executing commands that trigger a PhantomRelay infection.
- PrincessClub: Creates fake Ukrainian adult-club websites to deliver FallSpy (Android spyware) on mobile devices and PhantomRelayV1 or LegionRelay on Windows PCs. Later versions added a WebRTC live-call feature designed to record victim audio and video. LegionRelay is a compact PowerShell RAT capable of listing files, stealing data, taking screenshots, extracting browser data, stealing Telegram and WhatsApp messages, and setting up remote access. FallSpy extracts sensitive information from compromised Android devices.
- DroneLink: Spoofs pages imitating charities supporting the Ukrainian military to distribute WireGuard and LegionRelay.
- Nebo: A FallSpy sample designed to look like a Russian-language login portal, probably meant to fool Ukrainian soldiers into believing they’re accessing a Russian military interface.
The wide range of tactics and malware tools may be a result of the use of AI services such as Ideogram AI, OpenAI ChatGPT, and Google Gemini. These platforms reportedly helped the group craft visuals, code LegionRelay, build obfuscation scripts, create backend systems, and automate post-compromise actions.
WithSecure noted that AI offers GREYVIBE several benefits: it helps overcome technical skill gaps, speeds up development cycles, and minimizes dependence on known malware or tools that analysts could use for attribution.
“If a group can regularly create, revise, or replace pieces of its infrastructure with AI help, traditional detection and grouping techniques that rely on consistent technical fingerprints may become less effective over time,” the researcher explained.
On the flip side, reliance on AI has also introduced coding errors in LegionRelay, accidentally exposing backend logic—a mistake unlikely by an advanced nation-state actor, further hinting GREYVIBE is not a purely state-run operation.
Evidence linking the group to cybercriminal networks includes –
- Possible use of an ISO creation tool previously tied to the TrickBot group and UAC-0098
- Discovery of PhantomRelay variants in separate cybercrime campaigns, including a Microsoft Teams voice phishing operation (July 2025–February 2026) and a campaign using KongTuke and ClickFix malware distribution (late February–late March 2026)
- Uploading early-stage malware samples to VirusTotal for public testing
- Odd naming patterns in internal files, such as “letsrollboyos,” “totallyunsus,” and “cuteuwu”
- Deploying XMRig cryptocurrency miner on a few machines infected with LegionRelay
“Based on this evidence, we assess with moderate confidence that GREYVIBE has connections to the wider cybercrime world, and with low-to-moderate confidence that it includes individuals with cybercriminal backgrounds,” WithSecure concluded. “How exactly the group relates to the Russian state is still unknown—whether criminals were absorbed into a state-backed unit, operate independently under state direction, or form a hybrid team.”
“This group sits in a gray zone between cybercrime and state-linked activity, making it harder to categorically attribute and blurring the usual lines between these two types of threat actors.”
