A previously undocumented Russian cyber espionage group called GREYVIBE has systematically weaponized OpenAI's ChatGPT, Google's Gemini, and other AI tools throughout its attack campaigns targeting Ukrainian military, government, and civilian organizations since at least August 2025. Security researchers at WithSecure discovered that the group integrated artificial intelligence into nearly every operational phase, from initial phishing emails to malware development and post-compromise activity.

What Is GREYVIBE and How Does It Use AI?

GREYVIBE represents a notable shift in how cyber criminals approach espionage operations. Rather than treating AI as an experimental tool, the group has embedded large language models (LLMs), which are AI systems trained on vast amounts of text to understand and generate human language, directly into its operational workflow. WithSecure researchers identified the group as Russian-speaking operators working in the Moscow time zone, with targets aligned to Russian intelligence interests.

The scope of AI integration across GREYVIBE's operations is striking. Researchers found strong evidence that the group relied on AI tools for multiple critical functions:

• Lure Development: Creating convincing phishing emails and fake websites designed to trick victims into downloading malware
• Malware Creation: Using AI to write and refine malicious code that infects target systems
• Infrastructure Setup: Automating the deployment of servers and systems needed to support attacks
• Obfuscation Tooling: Generating code that hides malware from security detection systems
• Post-Compromise Activity: Automating actions taken after successfully breaching a target system

"GREYVIBE appears to use AI not only for isolated development tasks, but across multiple operational phases. This likely enables the group to compensate for capability gaps, accelerate development cycles, and potentially reduce historical backlinks to prior activity," stated Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure.

Mohammad Kazem Hassan Nejad, Senior Threat Intelligence Researcher at WithSecure

What Attack Methods Did GREYVIBE Actually Deploy?

Despite having access to cutting-edge AI tools, GREYVIBE's actual attack methods remained relatively straightforward. The group used spear-phishing emails, fake CAPTCHA pages (those "I'm not a robot" verification screens), and bogus Ukrainian adult club websites to lure victims into installing malware. These tactics are not new, but the use of AI to generate and refine them at scale represents an evolution in how traditional cyber crime techniques are being weaponized.

The campaign has targeted a broad range of Ukrainian organizations, hitting military and government agencies alongside civilian and business entities. This suggests GREYVIBE operates with support from state-level intelligence interests, using AI to accelerate what would otherwise be time-consuming manual work.

How to Recognize and Defend Against AI-Powered Phishing Attacks

• Scrutinize Sender Details: Check email addresses carefully for subtle misspellings or unusual domains that mimic legitimate organizations, as AI-generated phishing emails may contain inconsistencies in formatting or language patterns
• Verify Unexpected Requests: Be cautious of urgent requests for passwords, credentials, or system access, especially from unfamiliar contacts or through unusual channels
• Test Links Before Clicking: Hover over links in emails to see the actual destination URL before clicking, and verify that CAPTCHA pages appear on legitimate official websites rather than in email links
• Enable Multi-Factor Authentication: Require multiple forms of verification to access accounts, making it harder for attackers to gain access even if they obtain passwords
• Report Suspicious Activity: Alert your organization's security team immediately if you receive phishing attempts or suspicious emails, helping defenders understand emerging attack patterns

Why Did Researchers Catch GREYVIBE Despite Its AI Advantage?

Ironically, GREYVIBE's extensive use of AI tools did not make the group invulnerable. Researchers discovered that the operators repeatedly made operational security mistakes that exposed their activities. The group uploaded malware to public services, left behind development artifacts with names like "letsrollboyos," "totallyunsus," and "cuteuwu," and made critical design flaws in their LegionRelay malware that researchers suspect was developed with LLM assistance.

These mistakes allowed WithSecure researchers to monitor GREYVIBE's activity over an extended period and map out the full scope of their operations. The flaws in the malware's design exposed parts of the group's backend infrastructure, giving security researchers a window into how the attacks were being coordinated.

The GREYVIBE case illustrates a broader debate within the cybersecurity industry about whether AI will create a new generation of elite, highly capable cyber operators or simply make existing criminals faster and more productive. Based on the evidence, GREYVIBE appears to fall squarely into the second category. The group is using AI to accelerate and scale traditional attack methods, but the underlying tradecraft remains vulnerable to the same operational security mistakes that have always plagued cyber criminals.

As AI tools become more accessible and easier to use, defenders should expect to see more threat groups adopting similar approaches. The key difference is not that AI makes attackers smarter, but that it makes them faster and more prolific, potentially allowing smaller teams to conduct larger campaigns with less manual effort.