Cybersecurity analysts have identified a previously unknown Russian hacking group called GREYVIBE, which has been continuously attacking Ukraine for almost a year. Its activities align with the Kremlin's interests, particularly in the area of intelligence gathering on Ukraine in the context of the Russian-Ukrainian war.
Cybersecurity analysts have identified a previously unknown Russian hacking group called GREYVIBE, which has been continuously attacking Ukraine for almost a year. Its activities align with the Kremlin's interests, particularly in the area of intelligence gathering on Ukraine in the context of the Russian-Ukrainian war.
The group used several attack vectors to deliver malware to various victims, including targeted phishing emails, fake captcha verification pages, and fake Ukrainian erotic club websites. In these campaigns, the group relied on its own designs: obfuscators, downloaders, and malware, The Hacker News reports , citing data from Finnish cybersecurity company WithSecure.
The group's geography of victims spans military, government, civilian, and commercial organizations. Despite operating in the interests of the Kremlin, GREYVIBE also has ties to the broader Russian cybercrime ecosystem through some of its members, who are believed to be current or former criminal hackers.
Additionally, there is evidence that the adversary is relying on generative AI and large language models to significantly enhance its operations. Taken together, WithSecure paints a picture of a “low to moderate complexity” group that makes serious operational security mistakes while simultaneously using AI tools to improve its malware development.
To carry out large-scale cyberattacks against Ukraine, the GREYVIBE group uses a wide arsenal of tools, significantly enhanced by the capabilities of generative AI (ChatGPT, Gemini, Ideogram AI). Hackers use various infection vectors - from targeted phishing (PhantomMail) and fake captcha pages disguised as Zoom (PhantomClick) to fake erotic club sites (PrincessClub), fake Ukrainian Armed Forces aid funds (DroneLink) and login windows disguised as Russian terminals (Nebo). Using these traps, attackers infect victims' devices with spyware and remote access Trojans (FallSpy, LegionRelay, PhantomRelay), which allow them to secretly record audio and video, take screenshots, steal confidential files, passwords from browsers, and correspondence in Telegram and WhatsApp.
The cybersecurity company notes that the use of AI provides GREYVIBE with a number of advantages, including bridging gaps in technical expertise, accelerating the development lifecycle, and reducing reliance on previously known malware or tools, making it more difficult to attribute cyberattacks later.
