GREYVIBE: Russia's AI-Assisted APT Is Vibe-Coding Its Way Through Ukraine

WithSecure published research on May 28 attributing a sustained, year-long espionage campaign against Ukraine to a previously undocumented threat group it tracks as GREYVIBE. The group is not especially good at its job — WithSecure rates it “low-to-moderately sophisticated” and repeatedly caught it making basic operational-security mistakes — but it is persistent, aligned with Russian state intelligence interests, and notable for one thing infrastructure defenders should care about: it appears to run generative AI through nearly every phase of its operation, from lure artwork to full-stack malware development.

If you do not defend Ukrainian military, government, or critical-infrastructure targets, GREYVIBE itself is probably not in your threat model. The tradecraft is the story. Almost everything this group does is reproducible by any mid-tier actor with an LLM subscription, and the delivery techniques — ClickFix fake-CAPTCHA pages, PowerShell RATs over WebSockets and REST, consumer file-sharing abused for staging — are already industry-wide.

What GREYVIBE is doing

Active since at least August 2025, GREYVIBE runs several parallel attack chains, all built on the same decoy-and-payload pattern:

• PhantomMail — spear-phishing emails linking to ZIP/RAR archives on Google Drive and 4sync. The archives carry PyInstaller- or JavaScript-based loaders that launch a decoy PDF while kicking off the PhantomRelay chain. Lures have impersonated Ukrainian government bodies and an energy company.
• PhantomClick — ClickFix-style fake CAPTCHA pages on domains spoofing Zoom and the Latvian NGO LAPAS, instructing victims (in Ukrainian) to paste and run a command under a fake Cloudflare “security verification” pretext.
• PrincessClub — fake Ukrainian adult-club sites delivering FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows, fronted by fake female personas on Telegram. Later versions added a WebRTC live-call feature that captured victim audio and video, turning a static lure into a HUMINT collection tool. Confirmed victims include Ukrainian combatants around Kharkiv.
• DroneLink — sites posing as charities funding FPV drones and UAVs for the Armed Forces of Ukraine, dropping WireGuard and LegionRelay.
• Nebo — a FallSpy build mimicking a Russian-language military login terminal (“SPO NEBO”), likely meant to deceive Ukrainian personnel into thinking they had reached a Russian system.

The toolkit

The malware is custom but deliberately lightweight:

• PhantomRelay — a PowerShell RAT that beacons over WebSockets and is extended through operator-pushed PowerShell scripts. WithSecure tracks three variants and found the base variant (PhantomRelayLite) reused across unrelated cybercrime clusters, including a Microsoft Teams voice-phishing set and a KongTuke ClickFix chain.
• LegionRelay — a PowerShell RAT that talks to its C2 over REST. Operators used it for file enumeration and exfiltration, screenshots, browser-data theft, Telegram/WhatsApp data theft, and RDP setup. AI-introduced design flaws in LegionRelay exposed part of its backend — which is how WithSecure gained months of visibility into the group’s operations.
• FallSpy — Android spyware that harvests contacts, call logs, installed apps, SIM-linked numbers, location, Wi-Fi SSID, public IP, and media.
• A rotating set of custom obfuscators and loaders: LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.

AI is the operational backbone

The reason this report matters beyond Ukraine: WithSecure found “strong evidence” of systematic GenAI use across the entire lifecycle — Ideogram AI, OpenAI ChatGPT, and Google Gemini used for lure imagery and lure-site development, obfuscator and loader scripts, full-stack development of LegionRelay, backend setup, and post-compromise commands. The payoff for the attacker is bridging skill gaps, faster development tempo, and fewer reusable artifacts for defenders to fingerprint.

WithSecure notes that if an actor can “frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time.” That cuts both ways — the AI sloppiness that shipped a RAT with an exposed backend is the kind of bug that hands researchers a way in. But the trajectory is clear: AI lowers the bar for a persistent, multi-chain operation to the point where attribution-by-tooling degrades.

Attribution lives in the gray zone

WithSecure assesses with high confidence that GREYVIBE aligns with Russian state interests, with operators Russian-speaking and working Moscow hours (UTC+3). But it also found cybercrime fingerprints: a suspected ISO builder tied to the TrickBot/UAC-0098 ecosystem, malware reuse across criminal clusters, test samples uploaded to VirusTotal, slang artifact names (“letsrollboyos,” “cuteuwu”), and an XMRig miner on a few hosts. The group sits between state-directed espionage and commodity crime — and blurring that line is the entire point.

What to do right now

• Treat ClickFix / fake-CAPTCHA “paste this command” prompts as a primary initial-access vector. The correct response to “verify you are human by running this in PowerShell or the Run box” is always no.
• Constrain and log PowerShell: enable script-block and module logging, and alert when powershell.exe spawns from a browser, an archive utility, mshta, or wscript.
• Watch for outbound WebSocket and REST C2 and for staging pulls from Google Drive or 4sync in environments that have no legitimate reason to touch them.
• Pull GREYVIBE’s indicators of compromise and YARA rules from WithSecure’s GitHub and sweep your estate.

References

• WithSecure Labs — GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations
• WithSecure Labs — GREYVIBE IoCs and YARA rules (GitHub)
• The Hacker News — New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks