GREYVIBE has been linked to ongoing attacks against Ukraine and Ukraine-related organizations since at least August 2025. The group is assessed as Russian-speaking and operating in the Russian time zone, with activity aligned to Kremlin state interests and intelligence gathering during the Russo-Ukrainian war. Multiple delivery methods are used, including spear-phishing emails, fake captcha pages, and fraudulent Ukrainian adult club websites that lead to malware. Victims include military, government, civilian, and business entities. Some members are believed to have current or former ties to the broader Russian cybercrime ecosystem. Evidence indicates use of generative AI and large language models to enhance operations, while the group is characterized as low-to-moderately sophisticated and prone to operational security mistakes. Observed attack chains include PhantomMail and PhantomRelay.
"GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war."
"“The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims,” WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. “Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware.”"
"In addition, there is evidence indicating that the adversary is relying on generative artificial intelligence (GenAI) and large language models (LLMs) to supercharge its operations. Taken together, WithSecure paints the picture of a “low-to-moderately sophisticated group” that suffers from operational security blunders and employs AI-assisted tooling to augment its malware development efforts."
"PhantomMail, which uses spear-phishing emails to distribute links pointing to malicious ZIP or RAR archives hosted on Google Drive and 4sync that contain JavaScript-based loaders to launch a decoy document, and PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShel"
#ukraine-focused-cyberattacks #russian-speaking-threat-actor #phishing-and-social-engineering #malware-delivery-and-rats #genaillm-assisted-operations
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]