GreyVibe is a previously undocumented threat actor attributed to Russian-speaking operators in the Moscow time zone, active since August 2025. The group leverages generative AI tools across all phases of its operations, including malware development, obfuscation, and phishing lure creation, to compensate for capability gaps and increase operational velocity. Its campaigns target Ukrainian military, government, civilian, and business sectors using spear-phishing emails that deliver Windows malware (PhantomRelay, LegionRelay) and Android malware (Fallspy) through third-party file-sharing services and fake adult-club websites. GreyVibe’s operational profile is notable for AI-powered ambition rather than raw technical skill, with mistakes in malware design enabling extended monitoring by researchers. The group’s use of AI complicates tracking and attribution and may signal how lower-tier actors will evolve. There is no indication of deepfake use or confirmed expansion beyond Ukraine at this time.

GreyVibe’s AI-enhanced operations increase the speed, scale, and complexity of cyberattacks against Ukrainian military, government, civilian, and business targets. The use of AI-generated malware and phishing lures enables the group to fill capability gaps and evade traditional detection methods. While no known exploits in the wild are reported beyond their campaigns, the operational ambition and evolving tradecraft pose a medium-level threat to targeted sectors. The group’s activity complicates attribution and continuous monitoring efforts, potentially increasing the difficulty of defensive measures.

This threat describes an active adversary group rather than a specific software vulnerability; therefore, no direct patch or official fix applies. Organizations in potentially targeted sectors should maintain vigilance against spear-phishing campaigns and suspicious file-sharing links. Monitoring for indicators of compromise related to PhantomRelay, LegionRelay, and Fallspy malware families may be beneficial. Given the evolving AI-driven tactics of GreyVibe, defenders should consider enhancing detection capabilities for AI-generated phishing and malware artifacts. No vendor advisory or official remediation guidance is available; patch status is not applicable.