top of page
perceptive_background_267k.jpg

GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

Published:

28 May 2026 at 22:24:49

Alert date:

28 May 2026 at 23:02:47

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Emerging Technologies

Russian threat cluster GreyVibe is conducting cyberattacks against Ukrainian entities using AI-generated lures from ChatGPT and Gemini. The campaign employs a sophisticated toolkit of custom malware tools. This represents an evolution in threat actor tactics, combining artificial intelligence capabilities with traditional cyber espionage methods. The targeting of Ukrainian infrastructure and organizations indicates state-sponsored or state-aligned activities. The use of AI for generating attack content demonstrates the growing intersection of artificial intelligence and cybersecurity threats.

Technical details

GreyVibe is a likely Russian threat group using AI-generated lures and custom malware tools targeting military, government, civilian, and business sectors, particularly Ukrainian organizations. The group employs multiple attack chains including PhantomMail (spear-phishing with malicious ZIP/RAR archives), PhantomClick (fake CAPTCHA/ClickFix pages), PrincessClub (fake dating websites delivering FallSpy Android spyware), DroneLink (fake military charity websites), and Nebo (fake Russian military login pages). They use AI tools including ChatGPT, Ideogram AI, and Google Gemini to create realistic content and develop custom obfuscators (LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP). Main malware includes LegionRelay PowerShell RAT with file theft and credential stealing capabilities, PhantomRelay PowerShell RAT for system fingerprinting and command execution, and FallSpy Android spyware for intelligence collection.

Mitigation steps:

Organizations can set up defenses against GreyVibe's malicious activity by using the indicators of compromise (IoCs) provided by WithSecure at the GitHub repository link.

Affected products:

Windows
Android
PowerShell
Telegram
WhatsApp
Google Drive
4sync
Zoom
LAPAS
Cloudflare

Related links:

https://labs.withsecure.com/publications/greyvibe
http://github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv

Related CVE's:

Related threat actors:

IOC's:

Indicators of compromise available at github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page