Post

GREYVIBE A Russia-nexus Group Leveraging AI in State-Aligned Operations

Posted
By ictsec.pl
1 min read
GREYVIBE A Russia-nexus Group Leveraging AI in State-Aligned Operations

GREYVIBE: A Russia-nexus Group Leveraging AI in State-Aligned Operations

WithSecure has identified an ongoing and persistent set of activities targeting Ukraine and Ukraine-related entities since at least August 2025. These activities are associated with a threat group tracked as GREYVIBE. The lures, targeting, and observed actions align with Russian state interests, particularly in support of intelligence-gathering objectives related to the ongoing Russia-Ukraine war.

Key Findings:

  • Russian-speaking Operators: The developers and operators are believed to be Russian-speaking and operate broadly in the Moscow time zone.
  • Use of Generative AI: There is strong evidence suggesting the systematic use of generative AI (GenAI) and large language models (LLMs) by GREYVIBE throughout their operations.
  • Operational Security Failures: GREYVIBE is assessed to be a low-to-moderately sophisticated group, reflected in repeated operational security failures and heavy reliance on LLMs.

Attack Vectors:

The group has leveraged multiple attack vectors, including:

  • Spear-phishing emails
  • Fake CAPTCHA pages
  • Fraudulent Ukrainian adult club websites

Since August 2025, GREYVIBE has conducted at least six distinct spear-phishing campaigns. These campaigns typically involve emails containing links to malicious ZIP or RAR archives hosted on third-party file-sharing services. The archives contained loaders that initiated the PhantomRelay infection chain in the background.

Notable Campaigns:

One of the most notable campaigns, tracked as PrincessClub, used fake Ukrainian adult-club websites to deliver malware on Android and Windows. Victims included military, government, civilian, and business-related entities, with many located in Kharkiv, Ukraine.

AI Integration:

GREYVIBE’s apparent systematic use of generative AI and LLMs across the attack lifecycle is significant. They have utilized several AI platforms, including Ideogram AI, ChatGPT, and Google Gemini. This usage is likely deliberate and operationally integrated, serving to bridge technical capability gaps and accelerate operational tempo.

For more detailed insights, you can read the full article here.

CYBERSECURITY
GREYVIBE AI RUSSIA CYBERSECURITY MALWARE
This post is licensed under CC BY 4.0 by the author.