Russia-Linked GreyVibe Uses AI to Scale Cyberattacks on Ukraine

AI-Powered Espionage
A Russia-linked threat group known as GreyVibe has been accused of using generative AI tools to expand and accelerate cyberattacks against Ukrainian targets. The operation reportedly relied on tools such as ChatGPT, Google Gemini, and Ideogram AI to support several stages of the attack chain, including phishing, fake website creation, malware development, and post-compromise activity.

Researchers said the group has targeted Ukrainian military, government, civilian, and business organizations since at least August 2025. The activity was reportedly uncovered in January 2026 and later detailed in a public report that described GreyVibe as a flexible and dangerous actor able to use AI to increase both speed and reach.

Five Campaign Chains
The report outlines five separate campaign chains used by the group. Among them, PhantomMail relied on spear-phishing emails disguised as official Ukrainian government or energy-related documents, while PhantomClick used fake CAPTCHA pages to trick victims into launching malicious commands on their own devices.

Another campaign, PrincessClub, reportedly used fake dating websites and Telegram personas to lure Ukrainian military personnel into spyware infections. Two additional operations, DroneLink and Nebo, used fake charity websites and spoofed Russian military login pages to collect credentials and compromise targets.

Malware and Access Tools
GreyVibe allegedly deployed custom malware families including LegionRelay and PhantomRelay, both described as PowerShell-based remote access tools. These tools were used to steal files, capture screenshots, collect browser credentials, and extract data from messaging apps such as Telegram and WhatsApp.
On Android devices, the group was also linked to FallSpy spyware. This malware reportedly harvested contacts, call logs, location data, and media files, showing that GreyVibe’s operations extended beyond desktop compromise into mobile surveillance.

Criminal Background, Strategic Purpose
Although the campaigns appeared aligned with Russian state interests, researchers said GreyVibe did not show the discipline or sophistication usually associated with top-tier state intelligence units. Evidence such as Russian-language malware panels, code comments, and servers configured to Moscow time supported the view that the group is connected to Russia, even if it may not be a formal state agency.

Investigators also noted signs of cybercriminal behavior, including the use of cryptocurrency miners on some infected systems. That detail, along with possible ties to former TrickBot-linked actors, suggests GreyVibe may combine criminal roots with a mission that still serves broader Russian strategic goals.