A Russian-linked threat group known as GREYVIBE has been running active cyberattack campaigns against Ukrainian military, government, and civilian targets since at least August 2025. What makes this group stand out is its systematic use of AI tools including ChatGPT, Google Gemini, and Ideogram AI to build attack infrastructure, generate convincing lures, and develop custom malware at scale.

Cybersecurity company WithSecure first uncovered this activity in January 2026 and published a detailed technical report alongside a full indicator and YARA rule package. This article breaks down how GREYVIBE operates, what tools it uses, and what defenders can do to protect themselves.
What Is GREYVIBE?
GREYVIBE is a low-to-moderately sophisticated threat group that targets Ukrainian entities across military, government, civilian, and business sectors. WithSecure’s analysis places the group firmly within the Russian sphere. Russian-language code comments, administrative panels configured in Russian, and command-and-control (C2) servers set to UTC+3 (Moscow time) all point to Russian-speaking operators working within Moscow business hours.
The group does not yet have confirmed ties to any previously tracked nation-state actor. However, its targeting priorities and intelligence-gathering objectives align closely with Russian state interests in the context of the ongoing Russia-Ukraine war.
GREYVIBE sits in an unusual position. It does not operate with the clean tradecraft typical of mature nation-state actors. Researchers found repeated operational security failures, development and test samples uploaded to public scanning platforms like VirusTotal, and even a cryptocurrency miner deployed on some victim machines. These behaviors point toward ties to the broader cybercrime ecosystem, and WithSecure assesses with moderate confidence that the group includes current or former cybercriminal actors.
How GREYVIBE Hackers Execute Multi-Vector Attack Campaigns
GREYVIBE runs multiple parallel campaigns, each using different lures and delivery mechanisms. All of them share the same underlying malware family, infrastructure patterns, and operational behavior.
PhantomMail: Spear-Phishing via Email
Since August 2025, GREYVIBE has run at least six distinct spear-phishing campaigns under the PhantomMail umbrella. Attackers sent targeted victims emails containing links to malicious ZIP or RAR archives hosted on Google Drive and 4sync. Inside those archives, PyInstaller or JavaScript-based loaders dropped a decoy PDF or triggered a fake error pop-up while silently deploying the PhantomRelay malware in the background.
The lures impersonated real Ukrainian entities, including a Kyiv City Council official, a Ukrainian energy company, the Main Directorate of the State Emergency Service of Ukraine, and the State Service of Special Communications and Information Protection of Ukraine. This level of specificity is where AI-generated content played a direct role, allowing the group to produce convincing document replicas without the usual language errors that flag less sophisticated campaigns.
PhantomClick: Fake CAPTCHA Pages
In October 2025, GREYVIBE briefly ran a ClickFix-style campaign using fake CAPTCHA verification pages. The domains impersonated Zoom conference pages and the LAPAS (Latvian Platform for Development Cooperation) website.

Victims who landed on these pages saw instructions in Ukrainian asking them to complete a Cloudflare-themed security verification step. Following those instructions ran a hidden command that kicked off a PhantomRelay infection chain. The fake sites also redirected to the legitimate destination after the interaction, making the experience appear normal to the victim.
PrincessClub: Fake Ukrainian Adult Websites
PrincessClub is the most persistent and sophisticated campaign GREYVIBE runs. The group built fake Ukrainian adult-club websites that delivered FallSpy Android spyware to mobile users and either PhantomRelayV1 or LegionRelay to Windows users.
Confirmed victims included Ukrainian combatants, many based in Kharkiv. GREYVIBE used fake female personas on Telegram, including through local dating channels, to build trust with targets before directing them to the lure sites or sending malware directly.
Later versions of the PrincessClub sites added a WebRTC-based live call feature that only activated after infection. This turned the lure site from a static decoy into a live audio and video capture tool, functioning as a human intelligence collection mechanism.
DroneLink: Drone Charity Lures
Between March and April 2026, GREYVIBE ran a campaign using websites disguised as Ukrainian charitable foundations supporting FPV drone and UAV initiatives for the Armed Forces of Ukraine.
These sites shared C2 infrastructure with PrincessClub, used the same post-compromise tools including WireGuard and ZAPiXDESK, and hosted DAYLIGHT-obfuscated LegionRelay scripts. WithSecure tracks DroneLink separately while continuing to investigate its relationship to the broader GREYVIBE cluster.
Nebo: Russian Military Login Lures
A smaller cluster of artifacts associated with GREYVIBE impersonated a system called “СПО НЕБО” (transliterated as “SPO NEBO”). These included a FallSpy sample that mimicked a Russian-language military login screen and a fake login page hosted on PrincessClub infrastructure.
Both artifacts referenced hard-coded telephone exchange numbers consistent with secure communications systems used in Russian military settings. WithSecure believes the most likely explanation is that GREYVIBE designed these lures to deceive Ukrainian military personnel by presenting the illusion of access to a Russian military terminal, potentially as a way to gather intelligence on their communications or access patterns.
How GREYVIBE Uses AI Tools to Build Attacks
The most notable aspect of GREYVIBE’s operation is its systematic and operationally integrated use of generative AI across the entire attack lifecycle. WithSecure identified strong evidence of use across three distinct phases.
- Lure development: The group used Ideogram AI, ChatGPT, and Google Gemini to generate images for the PrincessClub campaign and to build convincing lure sites for both PrincessClub and PhantomClick campaigns. LLM markers found embedded in images confirmed AI-assisted image generation.
- Resource development: GREYVIBE used AI assistance to develop obfuscation and loader scripts including LOOKVALJS, DAYLIGHT, and TEASOUP. The group also used LLMs for full-stack development of the LegionRelay RAT and for backend infrastructure setup.
- Post-compromise activity: After gaining access to victim machines, operators used AI-generated scripts and commands delivered through PhantomRelay and LegionRelay to carry out follow-on actions.
WithSecure assesses that AI use serves three main purposes for GREYVIBE: it bridges technical capability gaps, it accelerates development and operational tempo, and it reduces reuse of code patterns that would otherwise support attribution. This last point has significant implications for threat tracking. When a group can continuously regenerate its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts become less reliable over time.
GREYVIBE Custom Malware and Tools
GREYVIBE relies on a small family of custom-developed malware and obfuscators, rotating through them across different campaigns.
PhantomRelay
PhantomRelay is a PowerShell-based remote access trojan (RAT) that uses a two-stage execution chain. The first stage runs a fingerprinting script; the second stage deploys the main RAT client. The RAT communicates with its C2 via WebSockets and supports execution of both PowerShell scripts and Windows commands.
PhantomRelay is modular by design. Its capabilities extend through additional PowerShell scripts that the C2 delivers and executes dynamically on the victim machine.
WithSecure tracks three variants:
- PhantomRelayLite: The base variant observed across GREYVIBE’s early development activity and also across separate cybercrime clusters, including a Microsoft Teams voice-phishing intrusion set and a KongTuke ClickFix delivery chain.
- PhantomRelayV1: The first operational variant weaponized by GREYVIBE, distinguished by a custom watchdog persistence mechanism and the group’s own DAYLIGHT obfuscator.
- PhantomRelayV2: The second operational variant, which reconstructs the malware while preserving core functionality.
The appearance of PhantomRelayLite across multiple cybercrime clusters places GREYVIBE in close proximity to the cybercrime ecosystem, though the exact relationship remains unclear.
LegionRelay
LegionRelay is a lightweight PowerShell-based RAT that communicates with its C2 through REST API methods. WithSecure assesses it was likely developed with LLM assistance, and design flaws in its implementation inadvertently exposed backend functionality that gave researchers extended visibility into GREYVIBE’s activity.
Operators used LegionRelay for a wide range of post-compromise actions including:
- File enumeration and exfiltration
- Screenshot capture
- Browser credential theft
- Telegram and WhatsApp data exfiltration
- RDP access setup
FallSpy: Android Spyware
FallSpy is an Android spyware first observed in August 2025 and deployed across the PrincessClub and Nebo campaigns. The malware presents decoy content to the victim while covertly collecting and exfiltrating device data.
FallSpy targets:
- Contact lists and call logs
- Installed applications
- SIM-linked phone numbers
- Device and network information
- Wi-Fi SSID
- Last-known location and public IP address
- Media files
Based on its functionality and deployment context, FallSpy serves purely as an intelligence-gathering tool.
Custom Obfuscators
GREYVIBE developed and rotated through four custom obfuscators across its campaigns:
- LOOKVALPS (PowerShell): An early-stage obfuscator used in initial campaigns.
- LOOKVALJS (JavaScript): The JavaScript-based counterpart to LOOKVALPS.
- DAYLIGHT (PowerShell): Active from October 2025, DAYLIGHT likely replaced LOOKVALPS and was routinely applied to both initial-stage and post-compromise payloads.
- TEASOUP (JavaScript): Observed from March 2026, TEASOUP succeeded LOOKVALJS.
WithSecure assesses with moderate-to-high confidence that all four were custom-developed by the group, and with moderate confidence that several were developed with LLM assistance. The naming conventions used during early development, including strings like “letsrollboyos,” “totallyunsus,” and “cuteuwu,” point toward developers with a cybercrime background rather than formal state-sponsored tradecraft.
Attribution and Russian Links
WithSecure’s attribution analysis rests on multiple converging indicators.
Russian-language markers found across code artifacts, administrative panels, and operator communications all consistently point to Russian-speaking actors. C2 servers and operator machines were configured to UTC+3 (Moscow time), and operator post-compromise activity patterns align with Moscow working hours across several months of observed data.
GREYVIBE’s targeting, lure content, and intelligence-gathering objectives align with Russian state interests in the context of the Russia-Ukraine war. The group focuses on Ukrainian military and government targets, builds lures that impersonate Ukrainian state entities, and collects the type of intelligence that would serve tactical and strategic military objectives.
At the same time, several indicators do not fit the profile of a polished nation-state operation:
- Early development samples show a connection to a unique ISO builder associated with UAC-0098, an activity cluster believed to involve former TrickBot members who targeted Ukraine at the start of the Russian invasion
- PhantomRelay variants appear across separate cybercrime clusters
- Development and test samples were uploaded to VirusTotal, which is atypical for state actors
- A cryptocurrency miner was deployed on some victim machines
- Internet slang-based naming conventions appear in early development artifacts
WithSecure assesses with moderate confidence that GREYVIBE has ties to the broader cybercrime ecosystem. Whether former or current cybercriminal members have been absorbed into a state-backed group, operate independently under state-directed tasking, or form a hybrid team remains unclear. Precedent exists for Russian intelligence services co-opting or leveraging cybercriminal groups for state objectives.
How to Defend Against GREYVIBE
Organizations that operate in or adjacent to Ukraine-related sectors face the highest risk from GREYVIBE. The following defensive measures address the group’s known attack vectors.
Watch for spear-phishing with cloud-hosted archives: GREYVIBE delivers initial payloads through ZIP and RAR files hosted on Google Drive and 4sync. Block or scrutinize downloads from file-sharing services in high-risk environments.
Block ClickFix-style social engineering: Train users to recognize fake CAPTCHA pages that ask them to run commands. No legitimate verification page asks users to paste commands into a terminal or Run dialog.
Monitor PowerShell execution: Both PhantomRelay and LegionRelay rely heavily on PowerShell for C2 communication and post-compromise activity. Logging and alerting on unusual PowerShell execution patterns helps detect early-stage compromise.
Restrict Android sideloading: FallSpy reaches victims through fake websites and Telegram links, not the Google Play Store. Enforce mobile device policies that prevent installation of apps from unknown sources.
Use IoCs from WithSecure: WithSecure has published a full list of indicators of compromise and YARA detection rules on its GitHub repository. Adding these to your security tooling provides direct detection coverage for GREYVIBE’s known tools and infrastructure.
Apply network monitoring for WebSocket and REST C2 traffic: PhantomRelay uses WebSockets and LegionRelay uses REST APIs for C2 communication. Monitoring for unusual outbound WebSocket connections or API-style traffic to unknown endpoints helps identify active infections.
Frequently Asked Questions
What is GREYVIBE?
GREYVIBE is a Russia-linked threat group that has been targeting Ukrainian military, government, civilian, and business entities since at least August 2025. The group uses multiple attack campaigns combining AI-generated lures with custom malware to conduct cyberespionage.
How does GREYVIBE use AI in cyberattacks?
GREYVIBE uses ChatGPT, Google Gemini, and Ideogram AI across its entire attack lifecycle. The group uses AI to generate convincing lure images and websites, develop and obfuscate malware including LegionRelay, and produce post-compromise scripts and commands delivered to infected machines.
What malware does GREYVIBE use?
GREYVIBE’s malware family includes PhantomRelay (a PowerShell RAT with three variants), LegionRelay (a lightweight PowerShell RAT with broad data theft capabilities), FallSpy (an Android spyware), and four custom obfuscators: LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.
Is GREYVIBE a nation-state hacking group?
WithSecure cannot definitively classify GREYVIBE as a nation-state operation. Its targeting and objectives align with Russian state interests, but multiple indicators also suggest ties to the cybercrime ecosystem. The group may involve current or former cybercriminal members operating alongside or under direction from state-affiliated actors.
How does FallSpy Android spyware work?
FallSpy presents decoy content on the victim’s Android device while covertly collecting contacts, call logs, SIM information, device and network data, location, Wi-Fi SSID, public IP address, and media files. It delivers this data to GREYVIBE’s C2 infrastructure for intelligence-gathering purposes.
What is the PhantomClick attack?
PhantomClick is a GREYVIBE campaign that uses fake CAPTCHA pages disguised as Zoom and LAPAS websites. Victims see instructions in Ukrainian asking them to complete a Cloudflare-themed verification step. Running those instructions triggers a hidden command that deploys PhantomRelay on the victim machine.
