WithSecure — GreyVibe Russia-Linked Group Supercharges Ops with AI
AI relevance: GreyVibe demonstrates how non-elite threat actors use commercial AI models to compensate for skill gaps — generating custom malware, phishing lures, and post-compromise tooling at a pace that would previously require a dedicated team.
- WithSecure published a report on GreyVibe, a previously undocumented Russia-nexus threat group targeting Ukrainian military, government, and business entities since August 2025.
- The group uses ChatGPT, Google Gemini, and Ideogram AI across every operational phase: fake website creation, lure crafting, custom malware development, obfuscation, and post-compromise scripting.
- GreyVibe introduced design flaws into its LLM-generated LegionRelay Windows malware — a rare indicator of non-elite operators — enabling WithSecure researchers to track their activity since mid-2025.
- Operational indicators suggest the group is not a pure state actor: Internet slang naming conventions in early artefacts ("letsrollboyos", "totallyunsus", "cuteuwu") and AI-generated code quality issues.
- Attack vectors include six distinct spear-phishing campaigns delivering ZIP/RAR archives via Google Drive and 4sync, with decoy files masking PhantomRelay infection chains.
- A separate "PrincessClub" campaign uses fake adult-club websites with Telegram/dating-site personas to deliver Fallspy Android malware and PhantomRelay/LegionRelay on Windows.
- WithSecure assesses: "What sets GreyVibe apart is not raw technical skill, but operational ambition powered by AI. It's a preview of how lower-sophistication actors will increasingly operate."
Why it matters
GreyVibe represents a shift in threat actor profiles: groups without elite capabilities can now field sophisticated multi-platform malware campaigns by leaning heavily on commercial AI. The LLM-generated design flaws are actually useful for defenders — they create tracking and attribution signals that wouldn't exist in hand-crafted malware. Expect more groups to follow this model.
What to do
- Treat AI-generated malware signatures as evolving — rely on behavioral detection, not just static indicators.
- Watch for LLM-specific artefacts in malware: inconsistent coding styles, unused imports, and structural anomalies that suggest AI-assisted development.
- Ukraine-aligned organizations should prioritize awareness of multi-vector phishing campaigns combining decoy files with background malware delivery.
- Review phishing detection rules for ZIP/RAR archives hosted on consumer file-sharing services.