Researchers say a previously undocumented Russia-linked group called GreyVibe has targeted Ukrainian military, government, civilian, and business organizations since August 2025. WithSecure says the actor used at least six spear-phishing campaigns, fake adult-club websites, Telegram and dating-site lures, and file-sharing links to deliver PhantomRelay and LegionRelay malware on Windows and Fallspy on Android; the report also says the group used ChatGPT, Gemini, Ideogram, and other generative artificial intelligence tools across lure creation, malware development, obfuscation, and post-compromise tooling.
Why it matters: This matters because it describes an active espionage-focused campaign against Ukrainian targets and shows how lower-sophistication operators can use generative artificial intelligence to scale convincing phishing and malware operations. Organizations supporting Ukraine should review indicators, harden email and mobile defenses, and warn users about archive-based lures, fake personas, and links delivered over chat and dating platforms.
2026.05.29
97% relevant
This article is a direct write-up of the same GREYVIBE campaign, adding detail that the operators used ChatGPT, Gemini, and Ideogram AI across lure creation, malware development, infrastructure setup, obfuscation, and post-compromise work, and noting OPSEC mistakes and design flaws in LegionRelay that exposed backend infrastructure.
Bill Toulas
2026.05.28
98% relevant
This article is a direct update on the same GreyVibe campaign, adding detail that the group used ChatGPT, Gemini, and other AI tools to generate lures and likely assist development of custom obfuscators and malware including LegionRelay, PhantomRelay, and FallSpy, alongside more specifics on attack chains such as PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo.
Kevin Townsend
2026.05.28
100% relevant
This article appears to be the first tracked item here establishing GreyVibe as a distinct Russia-linked campaign and naming its malware families, targeting, and AI-assisted operating methods.
← Back to all stories