A threat group known as GreyVibe has been targeting Ukrainian and Ukraine-related organizations using AI-generated lures and custom malware tools, according to cybersecurity researchers at WithSecure.
The campaign, active since at least August 2025, has targeted military, government, civilian, and business sectors through phishing emails, fake websites, and deceptive online services. Researchers believe the group is Russian-speaking based on malware code comments, language settings, and server configurations.
GreyVibe used several different attack methods to target victims, including the PhantomMail campaign, in which the group sent phishing emails containing malicious files disguised as documents from Ukrainian government agencies, emergency services, telecom providers, and energy companies.
In the PhantomClick campaign, victims were directed to fake Zoom and LAPAS websites that displayed fake verification prompts and tricked users into running malicious commands on their own devices.
The PrincessClub operation used fake Ukrainian dating and adult websites that distributed FallSpy Android spyware, as well as PhantomRelay and LegionRelay malware for Windows systems. The attackers also used fake female Telegram profiles and offered live video calls that could capture victims' audio and video.
In the DroneLink campaign, GreyVibe created fake military charity websites focused on FPV drones and UAVs to lure targets. Another campaign, called Nebo, used fake Russian military communications login pages to convince Ukrainian military personnel that they were accessing a legitimate Russian military system.
GreyVibe used AI tools such as ChatGPT, Google Gemini, and Ideogram AI to create convincing phishing content and fake websites. The group also appears to have used AI assistance to develop malware and software obfuscation tools.
Despite the scale of the operation, WithSecure said GreyVibe does not display the level of sophistication normally seen in established nation-state hacking groups. Researchers found evidence linking some of its tools and methods to former cybercriminal activity, suggesting the group may include current or former cybercriminals working together or in support of state interests.
The exact relationship between GreyVibe and Russian state actors remains unclear, but researchers say the campaign closely aligns with Russian strategic interests in Ukraine.