Introduction to GreyVibe Hackers
A likely Russian threat group, tracked as GreyVibe, has been utilizing AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors. The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests.
Campaign Discovery and Focus
Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations. The link to a Russian-speaking threat actor is supported by the language for the malware panels, comments in code artifacts, and command-and-control (C2) server time configured to UTC+3 (Moscow time).
Attack Chains and Malware Tools
According to the researchers, GreyVibe has used several attack chains against its targets, including:
- PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links, using decoy PDFs or fake errors while deploying malware.
- PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites trick victims into running self-infecting commands through fake Cloudflare verification prompts.
- PrincessClub: Fake Ukrainian adult/dating websites delivering FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware.
- DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs shared infrastructure and tooling with PrincessClub campaigns.
- Nebo: Fake “СПО НЕБО” Russian military communications login pages were likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal.
Use of AI Tools
The diversity and quality of these lures are notable, and WithSecure says this is the result of using multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and realistic content to support them. The use of AI extends to the creation of tools as well, with the researchers mentioning LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all custom obfuscators that were likely developed with LLM assistance.
Malware and Campaign Associations
A PowerShell-based remote access trojan named LegionRelay was also likely developed with assistance from AI tools, the researchers say. LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup. Another malware used by GreyVibe is PhantomRelay, also a PowerShell RAT. The malware supports system fingerprinting, dynamic script loading, and PowerShell and Windows command execution.
FallSpy Android Spyware
The hackers employed the FallSpy Android spyware on the PrincessClub and Nebo campaigns, which is designed purely for collecting intelligence. The malware collects contact lists, call logs, device and network information, location data, media files, and SIM information.
Conclusion and Recommendations
WithSecure notes that while GreyVibe activity is consistent with a nation-state operation, the threat actor "lacked the level of sophistication and operational discipline typically associated with mature nation-state actors." Organizations can set up defenses against GreyVibe's malicious activity by using the indicators of compromise (IoCs) provided by WithSecure.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
Source: BleepingComputer