Criminals are leveraging AI to make their attacks faster, larger in scale, and more refined. As AI technology advances, so too will the methods of those exploiting it—making groups like GreyVibe worth closely monitoring.
According to WithSecure, GreyVibe is a previously unknown hacking group linked to Russia. Researchers believe the threat actors operate from the Russian-speaking region in the Moscow time zone, though they remain uncertain whether the group consists of cybercriminals, a nation-state operation, or a combination of both.
Since August 2025, the group has focused primarily on Ukrainian targets—spanning military, government, civilian, and business organizations—a focus that aligns well with Russian state objectives. At the same time, researchers noticed clues suggesting that at least some GreyVibe members may not be highly elite state-level operatives. For instance, they used internet-slang-inspired nicknames in early development files, such as ‘letsrollboyos’, ‘totallyunsus’, and ‘cuteuwu’.
A further sign that GreyVibe may not be a purely state-backed group is its heavy reliance on AI throughout every stage of its operations, “from creating fake websites and designing malicious lures to building custom malware and generating tools used after breaching a system,” the researchers noted. Their report also mentions AI-developed obfuscation scripts, loader components, and post-breach utilities. In isolation, this means little—all threat actors now use AI to speed up and scale their operations.
However, while GreyVibe employed leading AI tools such as Ideogram AI, ChatGPT, and Google Gemini, it introduced design errors into its AI-generated LegionRelay Windows malware. Such mistakes are typically not associated with top-tier threat actors. This oversight, in fact, allowed WithSecurity researchers to observe and track GreyVibe’s activities over an extended period starting from mid-2025.
Errors like this are uncommon among elite attackers, which may explain why Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure, commented, “What sets GREYVIBE apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to operate beyond its technical weight class—accelerating development, bridging capability gaps, and creating a largely new operational footprint that complicates tracking and attribution. It’s a preview of how lower-sophistication actors will increasingly operate.”
GreyVibe’s initial attack methods are varied and heavily AI-assisted. Spear-phishing emails—at least six distinct campaigns, though no use of deepfakes was observed—directed targets to ZIP or RAR files hosted on third-party cloud services like Google Drive and 4sync. These files opened a decoy document to distract the user while silently launching the PhantomRelay Windows malware installation process in the background.
In a separate campaign dubbed PrincessClub, the group used fraudulent adult-entertainment websites to distribute Fallspy for Android and PhantomRelay or LegionRelay on Windows. Victims were further enticed using fake female profiles on Telegram and dating platforms to guide them to these sites.
This broad AI usage not only compensates for skill gaps within GreyVibe but also minimizes connections to its past operations. In other words, it remains possible the group was previously tracked under a different identifier by other researchers—though WithSecure has found no evidence to support this.
What researchers did discover, however, is a unique ISO image builder potentially connected to the TrickBot ecosystem and UAC-0098—an activity cluster believed to include former TrickBot members, previously also observed targeting Ukraine.
GreyVibe remains active, and its members’ identities are still unknown. In the future, their use of AI is expected to advance further. “Given this heavy reliance, we anticipate the group’s tradecraft will continue to evolve and diversify, likely making ongoing detection, tracking, and attribution increasingly difficult,” stated WithSecure.
Whether this may push the group to expand operations beyond Ukraine remains uncertain. If the group is indeed closely aligned with Russian state interests, such expansion is entirely plausible given today’s global geopolitical climate.
Related: UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia
Related: Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands
Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
