{"id":8321,"date":"2026-05-30T00:22:14","date_gmt":"2026-05-30T00:22:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8321"},"modified":"2026-05-30T00:22:14","modified_gmt":"2026-05-30T00:22:14","slug":"russia-aligned-crime-group-greyvibe-extensively-uses-ai-in-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8321","title":{"rendered":"Russia-aligned crime group Greyvibe extensively uses AI in attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers have uncovered a previously undocumented Russian group that makes extensive use of large language models (LLMs) in its attacks against private, government, and military organizations in Ukraine. It uses a variety of attack vectors along with custom malware, with the goal of intelligence gathering for the ongoing war.<\/p>\n

Dubbed Greyvibe by researchers from WithSecure, the group has shown systematic use of generative AI across all stages of its operations, from crafting spear phishing lures and malicious scripts to full on malware development and setting up of backend infrastructure.<\/p>\n

\u201cWhile the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors,\u201d the WithSecure researchers said in their report<\/a>.<\/p>\n

Shifting attack vectors<\/h2>\n

Greyvibe\u2019s first campaign was launched in August 2025, with a series of spear phishing emails that purported to come from Ukrainian officials and government agencies including the Kyiv City, the Main Directorate of the State Emergency, and the State Service of Special Communications and Information Protection.<\/p>\n

The emails included links to ZIP and RAR archives, hosted on Google Drive and a service called 4sync, that contained malware loaders written in Python and JavaScript. The final payload was a custom malware program developed by the group that the WithSecure researchers dubbed PhantomRelay.<\/p>\n

In another attack in October, the group experimented with ClickFix-style attacks on fake CloudFlare CAPTCHA pages. These attacks instructed users to open the Windows Run dialog and paste in malicious commands.<\/p>\n

Greyvibe also set up fake adult club websites in Ukrainian, as well as fake websites for charities claiming to support the Ukrainian military with FPV drones and UAVs. These attacks distributed several malware programs for both Android devices (FallSpy) and Windows (PhantomRelay and LegionRelay).<\/p>\n

The researchers also tracked a website in Russian that they believe was part of the group\u2019s operations; it referenced hard-coded telephone exchange numbers for secure telecommunications that are typically used by the Russian military.<\/p>\n

\u201cThe intended victimology of this activity remains unclear,\u201d the researchers said. \u201cHowever, the most plausible hypothesis is that the lure was designed to deceive Ukrainian military personnel by presenting the illusion of access to a Russian military terminal.\u201d<\/p>\n

Custom malware developed using LLMs<\/h2>\n

The PhantomRelay malware program is a remote access trojan (RAT) written in PowerShell that can execute additional custom scripts received from the command-and-control (C2) server. While variants of this program have been observed in activity that might be unrelated to Greyvibe, the group completely rewrote the tool and created a version that was exclusively used in its own operations.<\/p>\n

LegionRelay is another PowerShell-based RAT that can similarly execute commands and scripts received from the C2 server; it is used for file enumeration, file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration, RDP access setup and other actions.<\/p>\n

FallSpy is an Android spyware program that can steal contacts, call logs, a list of installed applications, SIM-linked phone numbers, device and network information, Wi-Fi SSID, the phone\u2019s last known location, its public IP address, and media files.<\/p>\n

Finally, a series of custom scripts for obfuscating and loading malware was also observed: LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT (PowerShell), and TEASOUP (JavaScript).<\/p>\n

The WithSecure researchers have determined, with moderate confidence, that several of these custom tools were developed with the help of LLMs. LegionRelay in particular, as well as the background infrastructure serving it, show strong indicators of AI generation. The researchers believe some of the platforms used by the attackers include Ideogram AI, ChatGPT and Google Gemini.<\/p>\n

\u201cGreyvibe appears to use AI not only for isolated development tasks, but across multiple operational phases,\u201d the researchers said. \u201cThis likely enables the group to compensate for capability gaps, accelerate development cycles, and potentially reduce historical backlinks to prior activity. Given this extensive use, we expect the group\u2019s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers have uncovered a previously undocumented Russian group that makes extensive use of large language models (LLMs) in its attacks against private, government, and military organizations in Ukraine. It uses a variety of attack vectors along with custom malware, with the goal of intelligence gathering for the ongoing war. Dubbed Greyvibe by researchers from WithSecure, […]<\/p>\n","protected":false},"author":0,"featured_media":8322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8321","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8321"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8321"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8321\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8322"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}