Pierluigi Paganini
May 29, 2026
Security firm WithSecure has been tracking a previously unknown Russian-linked APT group called GREYVIBE since at least August 2025. The group targets Ukraine and Ukrainian-related organizations across military, government, civilian, and business sectors. According to the experts, the APT group is not particularly sophisticated, but it’s persistent, and it’s using AI to compensate for skill gaps. However, the researchers state that the group keeps making mistakes that give them a clear look inside.
“The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims. The observed victimology includes military, government, civilian, and business-related entities.” reads the report published by WithSecure. “Across these campaigns, the group has relied on custom developed obfuscators, loaders, and malware. WithSecure additionally identified several associated activity and related campaigns that shared varying degrees of overlap with the group’s tooling, infrastructure, and tradecraft.”
The group’s toolset is broad. The researchers documented five distinct attack chains employed by the group, each with its own lure and payload. PhantomMail uses spear-phishing emails with links to malicious archives on Google Drive and 4sync, delivering JavaScript-based loaders and a PowerShell remote access trojan called PhantomRelay. PhantomClick uses fake CAPTCHA pages impersonating Zoom and LAPAS in the style of ClickFix attacks, tricking victims into running commands that install the same PhantomRelay implant. PrincessClub is the strangest one: fake Ukrainian adult-club websites that deliver Android spyware called FallSpy, or Windows-based RATs depending on the victim’s device, with later versions of the lure sites adding a live WebRTC video-call feature to capture audio and video from the victim in real time. DroneLink uses websites posing as charitable foundations supporting the Ukrainian military to deliver WireGuard VPN software alongside a lightweight RAT called LegionRelay. And a campaign called Nebo uses a FallSpy sample designed to mimic a Russian military login screen, apparently to trick Ukrainian military personnel into thinking they’re accessing a Russian terminal. That last one deserves a moment of pause.
Custom-built malware makes attribution more difficult because it avoids the recognizable fingerprints often left by off-the-shelf tools. Attackers who develop their own code, or use AI to help generate it, can reduce the indicators researchers typically rely on to link operations together.
That’s exactly what GREYVIBE is doing. WithSecure found evidence of AI assistance across multiple parts of the operation: image generation via Ideogram AI, code development with ChatGPT and Google Gemini, obfuscation scripts, backend infrastructure, and post-compromise command generation. The AI use isn’t incidental. It’s structural.
“he group’s operation aligns with Russian state interests but does not consistently exhibit the operational maturity associated with more seasoned adversaries, and indicators also suggest ties to the broader cybercrime ecosystem.” continues the report. “The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories.”
A group that can generate and replace technical components faster than researchers can cluster them is harder to track over time, even if the underlying activity stays consistent.
The AI assistance has also backfired. Design flaws introduced into LegionRelay exposed its backend functionality to researchers. The group uploaded test samples to VirusTotal during development.
Development artifact names include internet slang like “letsrollboyos,” “totallyunsus,” and “cuteuwu.” One of the campaigns deployed an XMRig cryptocurrency miner on a small number of infected machines, which is not standard behavior for a disciplined intelligence operation. Pure nation-state actors don’t usually mine crypto on the side.
That’s where the attribution gets interesting. WithSecure found connections between GREYVIBE’s tooling and both the TrickBot gang and UAC-0098, a group previously linked to Russian cybercriminal networks. PhantomRelay variants appeared in a Microsoft Teams voice-phishing campaign and a separate ClickFix delivery chain between February and March 2026 that looked unrelated to the Ukrainian targeting.
“Taken together, we assess with moderate confidence that the group has ties to the broader cybercrime ecosystem, and with low-to-moderate confidence that it involves current or former cybercriminal members.” concludes the report. “The exact nature of their relationship to the Russian state remains unclear, whether such members have been absorbed into a state-backed group, operate independently under state-directed tasking, or have formed a hybrid team.”
The hybrid model isn’t new. Russia has a long history of tolerating or directing criminal actors when their interests align, especially in wartime. What’s new here is how visible the seams are. GREYVIBE’s OpSec failures, its AI-generated artifacts, its crypto mining side hustle, and its internet-slang naming conventions all point to a group that’s more improvised than institutional. It’s dangerous enough to have run sustained campaigns against Ukrainian targets for nearly a year. It’s also sloppy enough that WithSecure has a detailed technical report on how all of it works.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
