Introduction to GreyVibe
GreyVibe, a previously undocumented threat actor, has been described by WithSecure as a Russia-nexus group. The researchers are confident in their attribution of GreyVibe to Russian-speaking operators in the Moscow time zone, but are less certain whether the group is cybercriminal, nation-state – or a mix of the two.
Targeting Ukrainian Entities
The primary focus of the group, targeting Ukrainian military, government, civilian, and business entities since August 2025, aligns closely with Russian state interests. At the same time, the researchers have detected numerous indications that at least some GreyVibe members may be socially less than optimum elite state operators – including, for example, their use of Internet slang-based naming conventions across early-stage development artefacts, such as ‘letsrollboyos’, ‘totallyunsus’, and ‘cuteuwu’.
Use of AI in Cyberattacks
The group's intensive use of AI across every phase of its operations, “from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling,” say the researchers. Their report adds resource development including obfuscation and loader scripts, and post-compromise scripts. This itself means nothing, since all bad actors are using AI to add velocity and scale to their attacks.
Mistakes in AI-Generated Malware
However, while the researchers detected the use of top tier AI including Ideogram AI, ChatGPT, and Google Gemini, GreyVibe introduced design flaws into its LLM-generated LegionRelay Windows malware. Mistakes are not something normally attributed to elite actors. This mistake enabled WithSecure researchers to monitor and track GreyVibe activity over an extended period since mid-2025.
Operational Ambition Powered by AI
Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure, notes, “What sets GREYVIBE apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to punch above its weight – accelerating development, filling capability gaps, and generating a largely fresh operational profile that complicates tracking and attribution. It’s a preview of how lower-sophistication actors will increasingly operate.”
Initial Lures and Approaches
The initial lures and approaches from GreyVibe are varied and heavily supported by AI. Spear-phishing emails (at least six distinct campaigns, but with no mention of deepfakes) directed victims to ZIP or RAR archives on third-party file-sharing services such as Google Drive and 4sync. These would launch a decoy file to take the user’s attention while simultaneously initiating a PhantomRelay (Windows malware) infection chain in the background.
Continued Evolution and Diversification
Given the extensive use of AI by GreyVibe, its tradecraft is likely to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution. Whether this might tempt the group to spread its activity beyond the current focus on Ukraine remains to be seen. If it really is closely aligned to Russian state activities, this is more than possible given the current state of global geopolitics.
- Related: UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia
- Related: Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands
- Related: Germany Suspects Russia Is Behind Signal Phishing That Targeted Top Officials
- Related: Sweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy Infrastructure
Source: SecurityWeek