GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
The GreyVibe threat group, likely Russian-aligned, has been conducting cyberespionage campaigns targeting Ukrainian military, government, civilian, and business sectors since at least August 2025. They use AI-generated phishing lures and a suite of custom malware tools, including PowerShell-based remote access trojans and Android spyware, to steal intelligence and credentials. The group employs multiple attack chains with realistic decoys and fake websites, leveraging AI tools such as ChatGPT and Google Gemini to enhance lure quality and malware development. While their activity aligns with state interests, researchers note a lack of typical nation-state operational discipline and possible involvement of former cybercriminal actors. No known exploits in the wild or patches are applicable as this is an active threat actor campaign rather than a software vulnerability.
AI Analysis
Technical Summary
GreyVibe is a cyberespionage threat cluster targeting Ukrainian-related entities using AI-generated social engineering lures and custom malware. Their campaigns include spear-phishing with malicious archives, fake CAPTCHA pages, fraudulent adult/dating and military-themed websites, and malware such as LegionRelay and PhantomRelay RATs, and FallSpy Android spyware. The group uses AI tools to create realistic content and malware obfuscators. Indicators suggest a hybrid composition of state-aligned and cybercriminal actors. The malware supports credential theft, data exfiltration, and remote access. The campaign has been active since mid-2025 and focuses on intelligence collection rather than destructive attacks.
Potential Impact
The GreyVibe campaigns enable attackers to steal sensitive information including credentials, communication data, device and network details, and media files from targeted Ukrainian organizations. The malware facilitates remote access, data exfiltration, and espionage activities. While no direct destructive impact or widespread exploitation is reported, the intelligence theft poses significant risks to military, government, and civilian sectors in Ukraine. The presence of cryptocurrency miners on some infected machines indicates secondary monetization attempts. The threat actor's use of AI enhances lure effectiveness, increasing the likelihood of successful compromises.
Mitigation Recommendations
No official patches or fixes apply as this is an active threat actor campaign rather than a software vulnerability. Organizations should leverage available indicators of compromise (IoCs) from WithSecure and other threat intelligence sources to detect and block GreyVibe activity. Defenders should be aware of the sophisticated AI-generated lures and custom malware tools used. Implement targeted email filtering, user awareness training focused on spear-phishing, and endpoint detection for PowerShell-based RATs and Android spyware. Monitor for suspicious network traffic related to known command-and-control infrastructure. No vendor advisory states that no action is required; proactive defense is recommended.
Affected Countries
Ukraine
GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
Description
The GreyVibe threat group, likely Russian-aligned, has been conducting cyberespionage campaigns targeting Ukrainian military, government, civilian, and business sectors since at least August 2025. They use AI-generated phishing lures and a suite of custom malware tools, including PowerShell-based remote access trojans and Android spyware, to steal intelligence and credentials. The group employs multiple attack chains with realistic decoys and fake websites, leveraging AI tools such as ChatGPT and Google Gemini to enhance lure quality and malware development. While their activity aligns with state interests, researchers note a lack of typical nation-state operational discipline and possible involvement of former cybercriminal actors. No known exploits in the wild or patches are applicable as this is an active threat actor campaign rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GreyVibe is a cyberespionage threat cluster targeting Ukrainian-related entities using AI-generated social engineering lures and custom malware. Their campaigns include spear-phishing with malicious archives, fake CAPTCHA pages, fraudulent adult/dating and military-themed websites, and malware such as LegionRelay and PhantomRelay RATs, and FallSpy Android spyware. The group uses AI tools to create realistic content and malware obfuscators. Indicators suggest a hybrid composition of state-aligned and cybercriminal actors. The malware supports credential theft, data exfiltration, and remote access. The campaign has been active since mid-2025 and focuses on intelligence collection rather than destructive attacks.
Potential Impact
The GreyVibe campaigns enable attackers to steal sensitive information including credentials, communication data, device and network details, and media files from targeted Ukrainian organizations. The malware facilitates remote access, data exfiltration, and espionage activities. While no direct destructive impact or widespread exploitation is reported, the intelligence theft poses significant risks to military, government, and civilian sectors in Ukraine. The presence of cryptocurrency miners on some infected machines indicates secondary monetization attempts. The threat actor's use of AI enhances lure effectiveness, increasing the likelihood of successful compromises.
Mitigation Recommendations
No official patches or fixes apply as this is an active threat actor campaign rather than a software vulnerability. Organizations should leverage available indicators of compromise (IoCs) from WithSecure and other threat intelligence sources to detect and block GreyVibe activity. Defenders should be aware of the sophisticated AI-generated lures and custom malware tools used. Implement targeted email filtering, user awareness training focused on spear-phishing, and endpoint detection for PowerShell-based RATs and Android spyware. Monitor for suspicious network traffic related to known command-and-control infrastructure. No vendor advisory states that no action is required; proactive defense is recommended.
Affected Countries
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/greyvibe-hackers-use-chatgpt-gemini-to-power-cyberattacks/","fetched":true,"fetchedAt":"2026-05-28T22:34:06.445Z","wordCount":939}
Threat ID: 6a18c2dee29bf47b503a47e9
Added to database: 5/28/2026, 10:34:06 PM
Last enriched: 5/28/2026, 10:34:14 PM
Last updated: 5/29/2026, 5:29:18 PM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.