WithSecure places GreyVibe in the Russia-aligned category with reasonable confidence. The targeting profile fits Russian state interests precisely: Ukraine-focused, sustained, and spanning both military and civilian infrastructure. The researchers have traced activity to Russian-speaking operators in the Moscow time zone.

What they cannot resolve cleanly is whether GreyVibe is a cybercriminal group, a state-directed threat actor, or something that blurs both. The evidence cuts in contradictory directions. The operational focus on Ukraine suggests state alignment. But artifacts scattered across the group’s early-stage development work point toward operators who do not carry the discipline of elite state actors. Development artifacts carried names like letsrollboyos, totallyunsus, and cuteuwu, internet slang that does not typically surface in the work of carefully managed intelligence operatives.

More telling was a design flaw introduced into LegionRelay, the group’s Windows malware built using LLM-generated code. Elite actors do not make mistakes of that kind. This particular one gave WithSecure researchers an extended window to monitor and track GreyVibe activity across months of operations, an advantage they would not have had against a more careful adversary.

AI as a Force Multiplier for the Less Skilled

The mistake matters less than what surrounds it. GreyVibe used top-tier generative AI tools, including Ideogram AI, ChatGPT, and Google Gemini, across the full operational lifecycle, building fake websites, crafting phishing lures, developing custom malware, generating post-compromise tooling, writing obfuscation scripts, and creating loader infrastructure. The breadth of that usage is what distinguishes the group, not the quality of any single component.

Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure, captured the dynamic precisely: “What sets GreyVibe apart is not raw technical skill, but operational ambition powered by AI. The group uses generative AI to punch above its weight, accelerating development, filling capability gaps, and generating a largely fresh operational profile that complicates tracking and attribution. It’s a preview of how lower-sophistication actors will increasingly operate.”

That last sentence deserves attention. GreyVibe is not an anomaly. It is an early and visible version of a pattern that is going to become significantly more common: actors with modest native capability using AI tooling to run campaigns that would previously have required substantially more resources and expertise.

How the Campaigns Actually Worked

The delivery infrastructure GreyVibe built reflects the same AI-assisted approach. At least six distinct spear-phishing campaigns directed victims to ZIP or RAR archives hosted on legitimate third-party file-sharing services, including Google Drive and 4sync. Opening those archives launched a decoy file designed to hold the victim’s attention while a PhantomRelay infection chain ran silently in the background on Windows systems.

A separate campaign, which WithSecure designated PrincessClub, used a different social engineering surface entirely. Fake adult-club websites served as the delivery vehicle for Fallspy on Android and either PhantomRelay or LegionRelay on Windows. Victims were directed to those sites through fake female personas operating across Telegram and dating platforms, a human-element lure that required the kind of fabricated identity infrastructure that generative AI makes considerably easier to build and maintain at scale.

The AI-generated operational profile carries an additional consequence beyond capability augmentation. It reduces what researchers call historical backlinks, the traceable connections between current activity and prior campaigns that allow attribution over time. Whether GreyVibe has operated previously under a different name tracked by other researchers remains an open question. WithSecure found no evidence linking the group to prior documented activity, but the absence of those links may itself be a product of how the group was built.

A Possible Connection Worth Watching

One technical thread runs in a different direction. WithSecure detected the use of a unique ISO builder with potential links to the TrickBot ecosystem and UAC-0098, an activity cluster believed to involve former TrickBot members previously observed targeting Ukraine. That connection, if it holds, situates GreyVibe within a longer history of financially motivated cybercrime infrastructure being redirected toward politically aligned targets, a pattern that has appeared repeatedly in the Russia-Ukraine conflict context.

What Comes Next

GreyVibe remains active. Its members remain unidentified. And its AI capabilities, already broader than most threat actors of comparable technical sophistication, are likely to deepen. WithSecure’s assessment is direct: “Given this extensive use, we expect the group’s tradecraft to continue evolving and diversifying, likely increasing the complexity of continuous detection, tracking, and attribution.”

The question of geographic and target scope remains open. A group this tightly focused on Ukraine, with apparent alignment to Russian state interests, could extend its reach as geopolitical pressures shift. Whether the current targeting discipline holds or whether GreyVibe eventually moves toward a broader set of adversaries is something the security community will be watching as the group’s AI capabilities continue to mature.

Research and Intelligence Sources: WithSecure, Securityweek

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com