28.05.2026
3 min
105
Researchers have uncovered a new hacking group known as GreyVibe, linked to Russian-speaking operators, that actively uses ChatGPT, Gemini, and other generative AI services to support cyberattacks. The group’s primary targets include Ukrainian military personnel, government agencies, civilian organizations, and businesses.
The GreyVibe hacking group is using artificial intelligence-generated lures and a custom toolkit to conduct espionage operations against organizations in the military, government, civilian, and commercial sectors.
The campaign has been active since at least August 2025. Researchers believe its objectives align with Russian interests, although they cannot yet definitively classify it as a state-sponsored operation.
The primary targets are Ukrainian organizations and entities connected to Ukraine. Indicators pointing to Russian-speaking operators include the language used in malware control panels, comments found in source code, and command-and-control servers configured to the UTC+3 time zone.
Researchers identified several distinct attack chains used throughout the campaign.
PhantomMail relied on phishing emails delivering malicious ZIP and RAR archives through Google Drive and 4sync links. The files were disguised as PDF documents or fake error messages. Observed lures impersonated Ukrainian government agencies, emergency services, telecommunications providers, and energy sector organizations.
PhantomClick consisted of fake CAPTCHA and ClickFix pages disguised as Zoom and LAPAS websites. Victims were tricked into executing self-infection commands through fraudulent Cloudflare verification prompts.
PrincessClub involved fake Ukrainian dating and adult-themed websites used to distribute the FallSpy Android spyware and the PhantomRelay and LegionRelay malware families for Windows. Operators posed as women on Telegram and later introduced WebRTC-based calls capable of recording victims’ audio and video.
DroneLink used fraudulent Ukrainian military charity websites focused on FPV drones and UAVs. These sites shared infrastructure and tooling with the PrincessClub campaigns.
Nebo featured fake login pages imitating the Russian military communication system “SPO NEBO.” The pages were likely designed to convince Ukrainian military personnel that they were accessing legitimate Russian military resources.
Researchers highlighted the quality and diversity of the lures. To create realistic text and visual content, the operators reportedly used several AI tools, including ChatGPT, Google Gemini, and Ideogram AI.
AI assistance also appears to have been used in the development of custom obfuscation frameworks, including LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, which were designed to conceal malicious activity and complicate malware analysis.
One of the group’s primary tools is LegionRelay, a PowerShell-based remote access trojan that researchers believe was likely developed with the help of large language models. The malware supports file theft, screenshot capture, browser credential harvesting, Telegram and WhatsApp data theft, and RDP access configuration.
Another PowerShell-based RAT, PhantomRelay, provides system fingerprinting capabilities, dynamic script loading, and remote execution of PowerShell and Windows commands.
For Android devices, the group deployed FallSpy, a spyware family used in both the PrincessClub and Nebo campaigns. The malware is focused on intelligence collection and can gather contact lists, call logs, device information, network details, location data, media files, and SIM card information.
Despite several indicators associated with state-backed activity, researchers note that GreyVibe lacks the level of sophistication and operational discipline typically observed in mature nation-state threat groups.
Investigators also found evidence linking PhantomRelay to traditional cybercriminal operations, suggesting that current or former cybercriminals may be involved in the group’s activities.
Supporting this theory is the use of a unique ISO builder previously associated with former members of the TrickBot-linked group UAC-0098, which targeted Ukraine during the early stages of Russia’s invasion.
Additional indicators include the uploading of development and testing samples to public malware scanning services, a practice rarely associated with nation-state operators. Researchers also observed cryptocurrency miners deployed on some compromised systems.
At this stage, it remains unclear whether GreyVibe consists of former cybercriminals recruited into state operations, an independent group carrying out tasks aligned with state interests, or a hybrid organization combining state-affiliated operators with members of the cybercriminal underground.
