GreyVibe Hackers Weaponize ChatGPT and Gemini in Attacks

GreyVibe Hackers Weaponize ChatGPT and Gemini in Attacks

A threat group tracked as GreyVibe is actively using commercial AI platforms, including ChatGPT and Google Gemini, to build convincing attack lures and develop a custom suite of malware tools targeting military, government, civilian, and business organizations. Cybersecurity firm WithSecure identified and reported the campaign in January 2026, with activity traced back to at least August 2025. Although the group’s current focus is on Ukrainian and Ukraine-related entities, the tactics, techniques, and tooling on display are fully portable, and organizations in Canada operating in defense, government, or critical infrastructure have clear reason to pay attention.

GreyVibe’s documented use of large language models (LLMs) to manufacture attack content removes any remaining doubt that AI-assisted cyberattacks have crossed from theoretical concern into active operational reality.

Who Is GreyVibe?

Technical indicators place GreyVibe firmly in the Russian-speaking threat actor landscape. The malware panel interfaces are written in Russian, code artifacts contain Russian-language comments, and the command-and-control (C2) servers are configured to UTC+3, which corresponds to Moscow standard time. The campaign’s consistent targeting of Ukrainian organizations aligns with Russian geopolitical interests.

Despite these indicators, WithSecure stopped short of classifying GreyVibe as a confirmed nation-state operation. The group shows capability and intent consistent with state-directed activity, but also carries the fingerprints of the cybercriminal world. Early test samples matched tooling tied to UAC-0098, a threat cluster composed of former TrickBot members that was active against Ukraine at the outset of the Russian invasion. This overlap suggests GreyVibe may be composed of, or operating alongside, retasked cybercriminals working under some degree of state direction.

Researchers described the group as potentially operating via three possible structures: former or current criminal members absorbed into a state-backed operation, an independent crew acting on state-directed tasking, or a hybrid team blending both. The ambiguity makes this group harder to predict and attribute, which is itself a defensive challenge.

Five AI-Polished Attack Chains

GreyVibe ran at least five distinct campaign chains simultaneously, each with its own delivery method and social engineering angle. AI tools played a direct role in elevating the quality and realism of content across all of them.

PhantomMail

PhantomMail used targeted spear-phishing emails to deliver malicious ZIP and RAR archives via cloud storage links on Google Drive and 4sync. Decoy PDFs and fake error messages kept victims occupied while malware was deployed in the background. The lures specifically impersonated Ukrainian government agencies, emergency services, telecommunications providers, and energy sector organizations, making them highly convincing to the intended recipients.

PhantomClick

PhantomClick built fake ClickFix pages disguised as legitimate Zoom and LAPAS portals. Victims were shown what appeared to be a Cloudflare verification prompt, and clicking through triggered self-infecting command execution. This technique, involving copied terminal commands, has grown increasingly popular across multiple threat actor groups over the past year.

PrincessClub

PrincessClub deployed fraudulent Ukrainian adult dating websites to push FallSpy Android spyware and either PhantomRelay or LegionRelay Windows malware, depending on the victim’s device. Operators constructed fake female Telegram personas to build trust with targets before steering them toward the malicious sites. In later versions, the campaign added WebRTC-based live call capabilities that gave operators the ability to capture a victim’s audio and video in real time.

DroneLink

DroneLink ran parallel to PrincessClub using fake Ukrainian military charity sites themed around FPV drones and UAV warfare. The campaign shared infrastructure and tooling with PrincessClub, pointing to a shared operational team that simply adjusted the messaging for a different victim profile.

Nebo

Nebo used fake login pages spoofing “СПО НЕБО,” a Russian military communications platform. These pages were almost certainly designed to harvest credentials from Ukrainian military personnel who believed they were accessing an internal system.

The AI-Assisted Malware Toolkit

WithSecure found strong evidence that several of GreyVibe’s custom tools were built with LLM assistance, reflecting an increasingly common pattern of threat actors using commercial AI to accelerate development.

LegionRelay is a PowerShell-based remote access trojan (RAT) that sits at the top of the group’s capability stack. It supports file theft, screenshot capture, browser credential harvesting, data exfiltration from Telegram and WhatsApp, and setup of Remote Desktop Protocol (RDP) access on compromised hosts. The code quality and functional breadth led researchers to conclude that AI involvement in its development was likely.

PhantomRelay, also a PowerShell RAT, is a lighter instrument focused on system profiling, dynamic script loading, and remote command execution. It has also been observed in cybercrime operations outside of this campaign, reinforcing the theory that GreyVibe’s membership includes individuals with criminal backgrounds.

The group’s custom obfuscators, LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, were flagged as likely LLM-assisted products as well. These tools are designed to defeat static analysis and complicate detection by endpoint security solutions.

On Android, FallSpy functions as a pure intelligence-gathering implant. It silently collects contact lists, call logs, device and network metadata, GPS location data, media files, and SIM card information from compromised devices.

Canadian Impact and the CCCS Angle

GreyVibe’s present targeting is focused on Ukraine, but Canadian organizations should not treat this as a remote concern. The Canadian Centre for Cyber Security (CCCS) has consistently warned that Russian-aligned threat actors maintain an active interest in Canadian government, defense contracting, telecommunications, and energy infrastructure, particularly given Canada’s ongoing commitments to NATO and its support for Ukraine.

Every attack chain documented in this campaign uses techniques that translate directly to a Canadian operating environment. Spear-phishing with AI-generated content, ClickFix-style execution lures, and PowerShell-based RATs are not tailored to any specific geography. A threat actor with GreyVibe’s toolset could redirect these campaigns at Canadian targets with minimal reconfiguration.

Under PIPEDA, a successful LegionRelay deployment against a Canadian organization would constitute a reportable breach. Browser credentials, messaging app data, and unauthorized RDP access represent exactly the categories of sensitive information that trigger notification obligations to both affected individuals and the Office of the Privacy Commissioner of Canada. Beyond compliance, the reputational and operational damage from such a compromise would be severe. Canadian defense contractors, government suppliers, and critical infrastructure operators should treat this report as actionable threat intelligence, not background reading.

Key Takeaways

• GreyVibe is a likely Russian-aligned threat group operating since at least August 2025, targeting military, government, and civilian sectors with a primary focus on Ukrainian entities.
• The group leverages ChatGPT, Google Gemini, and Ideogram AI to produce high-quality phishing lures, fake websites, and social engineering content across five documented attack chains.
• Custom malware, including LegionRelay and PhantomRelay, both PowerShell-based RATs, was likely developed with LLM assistance and support for credential theft, file exfiltration, and remote access.
• FallSpy Android spyware rounds out the toolkit with silent collection of contacts, location data, media files, and SIM information.
• WithSecure assesses GreyVibe as a hybrid entity, potentially blending state-directed tasking with current or former cybercriminal operators, making attribution and prediction more difficult.
• All documented attack techniques are fully transferable to Canadian targets, with particular risk to defense, government, telecom, and energy sectors.
• Public indicators of compromise are available from WithSecure’s GitHub repository and should be loaded into defensive tooling immediately.

What You Should Do Now

1. Download the GreyVibe IoCs from WithSecure Labs at github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv and ingest them into your SIEM, firewall, and endpoint detection platforms without delay.
2. Restrict ZIP and RAR file delivery over email and cloud storage links, such as Google Drive and 4sync, for any user role that has no legitimate operational need to receive them.
3. Educate staff on ClickFix-style lures, specifically pages that request clipboard-pasted terminal commands or present fake Cloudflare verification steps. Include simulated versions of this technique in your phishing awareness program.
4. Tighten PowerShell execution policies across all Windows endpoints. Both LegionRelay and PhantomRelay depend on PowerShell for execution and persistence. Enforcing constrained language mode and application control policies significantly reduces the attack surface.
5. Audit Android device access policies. FallSpy has no visible indicators during operation. Ensure your mobile device management (MDM) solution monitors for unusual data access or exfiltration patterns on devices that connect to work resources.
6. If your organization operates in Canadian defense contracting, government supply chain, critical infrastructure, or telecommunications, brief your CISO and incident response team on the full GreyVibe campaign profile.
7. Report suspected GreyVibe activity or related indicators to the Canadian Centre for Cyber Security via cccs-ccn.ca or the national cyber incident reporting line.