The Point: GreyVibe compensates for technical deficits through intensive use of commercial AI tools, enabling attack scaling that would normally require substantial personnel resources.
The reportedly Russian threat group GreyVibe leverages generative AI models such as ChatGPT and Google Gemini to systematically scale attacks against military and civilian targets in Ukraine. Since August 2025, WithSecure has documented a campaign pattern that deploys AI tools across all attack phases.
Finnish security firm WithSecure has analysed a previously undocumented threat group called GreyVibe that systematically employs generative artificial intelligence for cyberattacks. Analysts attribute the group to the Russian-speaking region with high confidence, based on consistent operational hours in Moscow time zone. Whether this represents purely cybercriminals, state-directed units, or a hybrid form remains unclear.
Since August 2025, GreyVibe has primarily targeted military facilities, government agencies, civil institutions, and private companies in Ukraine. Particularly relevant for CISO practice is the consistent integration of AI tools across all phases of the attack cycle: the group uses Ideogram AI, OpenAI’s ChatGPT, and Google Gemini to create fake websites, convincingly authentic phishing lures, customized malware, and post-exploitation tools. Additionally, AI models are employed to obfuscate scripts and loaders, complicating detection by signature-based security solutions. This sheer volume of AI-generated components enables the group to compensate for technical development deficits and conduct attacks at a frequency and diversity that would normally require substantially larger personnel and financial resources.
However, technical analysis of the Windows malware LegionRelay also revealed the limits of this approach. Code generated by language models contained logical design flaws—typically such errors arise when complex programming tasks are implemented by AI models without subsequent manual review by experienced developers. These specific flaws enabled WithSecure to precisely track GreyVibe activities from mid-2025 onwards and analyse the group’s infrastructure. Such source code errors are atypical for state-level elite hackers, who generally develop and extensively test their tools manually.
Source: www.it-daily.net · Published 4 June 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.