Skip to content

Russia-aligned cybercriminal group Greyvibe systematically uses artificial intelligence in attacks

The Bottom Line: The hacker group Greyvibe systematically uses generative AI across all phases of its cyberattacks against Ukrainian targets. The group developed multiple malware programs (PhantomRelay, LegionRelay, FallSpy) with LLM support and deploys various social engineering tactics. Security analysts attribute the collective to the Russian cybercriminal spectrum.

Security researchers have documented a previously unknown Russian group that extensively uses generative artificial intelligence in cyberattacks against private, government, and military targets in Ukraine. The group, designated Greyvibe by WithSecure, demonstrates systematic AI usage across all phases of its operations—from spear-phishing to malware development—and is attributed to the Russian cybercriminal spectrum.

Greyvibe extensively uses Large Language Models (LLMs) to support its operations. The group leverages various attack vectors and proprietary malware aimed at gathering intelligence for the ongoing war in Ukraine. According to WithSecure analysts, multiple indicators suggest the group has connections to the broader cybercriminal ecosystem and may include current or former cybercriminals.

Greyvibe launched its first documented campaign in August 2025 with spear-phishing emails purporting to originate from Ukrainian authorities. The messages contained links to ZIP and RAR archives on Google Drive and the 4sync service hosting Python and JavaScript-based malware loaders. The final payload was the custom-developed malware PhantomRelay.

In October, the group conducted ClickFix-like attacks against spoofed CloudFlare CAPTCHA pages. Additionally, Greyvibe operated fake websites for adult clubs as well as pages with dubious support offers for Ukrainian military drone logistics. These distributed multiple malware programs: FallSpy for Android devices and PhantomRelay and LegionRelay for Windows systems.

PhantomRelay is a PowerShell-based remote access trojan that can execute additional scripts from the command-and-control server. LegionRelay is also PowerShell-based and enables file enumeration, data theft, screenshots, browser data exfiltration, and theft of Telegram and WhatsApp data. FallSpy steals contacts, call logs, app lists, device and network information, and location data from Android devices.

WithSecure analysts confirmed with medium confidence that several of these tools were developed with LLM support. This is particularly evident in LegionRelay and its associated backend infrastructure, where AI usage patterns are discernible.


Source: www.csoonline.com
Lumi AI News – AI-assisted curation according to Art. 50 EU AI Act.

Share on: