Full Report
Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government
Analysis Summary
# Threat Actor: GREYVIBE
## Attribution & Identity
* **Actor Name:** GREYVIBE
* **Origin:** Russia-linked; researchers identified Russian-speaking operators active within the Moscow time zone (UTC+3).
* **Associations:** Aligned with Russian intelligence interests, though not currently formally attributed to a specific numbered unit (e.g., APT28 or APT29) in the provided text.
## Activity Summary
* **Active Period:** August 2025 – Present (identified May 2026).
* **Campaign Overview:** A widespread campaign targeting Ukrainian entities utilizing Generative AI (GenAI) and Large Language Models (LLMs) across nearly every stage of the cyber-attack lifecycle, from social engineering to malware development.
## Tactics, Techniques & Procedures
* **Phishing & Social Engineering:** Deployment of spear-phishing emails and lures tailored using AI tools.
* **Deceptive Web Content:** Creation of fake CAPTCHA pages and bogus "Ukrainian adult club" websites to entice victims.
* **AI Integration:** Systematic use of OpenAI's ChatGPT, Google's Gemini, and Ideogram AI for:
* Crafting convincing lures.
* Malware development/coding.
* Infrastructure setup.
* Code obfuscation tools.
* Post-compromise activity scripts.
* **Operational Security (OPSEC) Failures:** Despite AI use, the group exhibited "amateur" traits, including:
* Uploading malware to public scanning services.
* Using unprofessional artifact names (e.g., "letsrollboyos," "totallyunsus," "cuteuwu").
* Design flaws in custom malware exposing backend C2 infrastructure.
## Targeting
* **Sectors:** Military, Government, Civilian organizations, and Private Businesses.
* **Geography:** Ukraine.
* **Victims:** Specifically those aligned with or serving Ukrainian national interests.
## Tools & Infrastructure
* **GenAI Tools:** ChatGPT, Gemini, Ideogram AI.
* **Custom Malware:**
* **LegionRelay:** A malware family suspected of being developed with LLM assistance; contained flaws that allowed researcher monitoring.
* **Infrastructure:**
* Fake CAPTCHA portals.
* Niche adult-themed websites used for drive-by downloads.
* Backend C2 exposed via design flaws (specific IP addresses/URLs not listed in the article but noted as monitored by WithSecure).
## Implications
GREYVIBE represents a shift toward the "operationally integrated" use of AI by state-aligned actors. While the group exhibits significant OPSEC weaknesses, the use of AI allows them to bridge capability gaps and accelerate development cycles. This suggests that AI serves as a "force multiplier" for lower-tier or mid-tier operators, allowing them to conduct complex espionage campaigns that would traditionally require more sophisticated manual coding skills.
## Mitigations
* **AI-Generated Content Detection:** Strengthen email security filters to identify linguistic patterns common in LLM-generated phishing lures.
* **Endpoint Protection:** Deploy behavioral-based EDR (Endpoint Detection and Response) to catch anomalies in "LegionRelay" and other LLM-assisted malware that may bypass signature-based detection.
* **User Awareness:** Educate government and military personnel on the risks of fake CAPTCHA prompts and adult-themed social engineering lures.
* **Infrastructure Blocking:** Monitor for and block access to newly registered or suspicious domains mimicking Ukrainian civilian services or adult content.