top of page
perceptive_background_267k.jpg

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

Published:

29 mei 2026 om 11:31:59

Alert date:

29 mei 2026 om 13:02:21

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Mobile & IoT, Email & Messaging, Emerging Technologies

A previously undocumented Russian-linked threat actor called GREYVIBE has been conducting persistent cyberattacks against Ukraine and Ukraine-related entities since at least August 2025. The group is assessed to be Russian-speaking, operating in the Russian time zone, with activities that align with Kremlin state interests. WithSecure has attributed these ongoing attacks to GREYVIBE, marking it as a new threat actor in the Russian cyber operations landscape targeting Ukrainian infrastructure and entities.

Technical details

GREYVIBE uses multiple attack vectors including spear-phishing emails, fake CAPTCHA pages, and fraudulent Ukrainian adult club websites. The group employs five main attack chains: PhantomMail (spear-phishing with JavaScript loaders and PhantomRelay RAT), PhantomClick (ClickFix-style fake CAPTCHAs), PrincessClub (fake adult sites delivering FallSpy Android spyware and PhantomRelayV1/LegionRelay), DroneLink (fake charity websites), and Nebo (FallSpy mimicking Russian military terminals). The group uses AI platforms including Ideogram AI, OpenAI ChatGPT, and Google Gemini for image generation, malware development, obfuscation, and infrastructure creation. Malware includes PhantomRelay (PowerShell RAT), LegionRelay (lightweight PowerShell RAT with file operations, screenshot capture, browser data theft, messaging app data exfiltration), and FallSpy (Android spyware).

Mitigation steps:

Organizations should implement enhanced email security measures to detect spear-phishing attempts, educate users about fake CAPTCHA and website threats, monitor for PowerShell-based malicious activity, implement application whitelisting, monitor for unauthorized RDP access setup, scan for XMRig mining activity, and enhance mobile device security policies for Android devices. Traditional clustering methods based on technical artifacts may become less reliable due to AI-assisted malware generation.

Affected products:

Google Drive
4sync
Zoom
LAPAS
Android
Windows
WireGuard
Microsoft Teams
Chrome
Telegram
WhatsApp
RDP

Related links:

https://labs.withsecure.com/publications/greyvibe
https://thehackernews.com/2025/08/clickfix-malware-campaign-exploits.html
https://thehackernews.com/2022/09/some-members-of-conti-group-targeting.html
https://fieldeffect.com/blog/quick-you-need-assistance
https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html
https://www.nccgroup.com/research/rapid-breach-social-engineering-to-remote-access-in-300-seconds/
https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html

Related CVE's:

Related threat actors:

IOC's:

Use of naming conventions: letsrollboyos, totallyunsus, cuteuwu, XMRig miner deployment, Fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS, Fraudulent Ukrainian adult club websites, Fake charitable foundation websites supporting Armed Forces of Ukraine, JavaScript-based loaders in ZIP/RAR archives, PowerShell-based remote access trojans, WebRTC-based live call features on lure sites

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page