Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 31, 2026 · 7 min read

GreyVibe Used ChatGPT to Phish Ukraine for 9 Months

WithSecure researchers publicly named the Russian-speaking GreyVibe cluster on May 28, 2026 after tracking it since January. The operation has run five parallel attack chains—spear phishing, fake CAPTCHA pages, fraudulent dating sites, a fake FPV drone charity, and a counterfeit Russian military comms portal—against Ukrainian military, government, civilian, and business targets since August 2025.

For nine months, a previously undocumented threat cluster has been running a five-pronged espionage campaign against Ukraine and Ukrainian diaspora targets, and almost every part of the operation—from the spear phishing copy to the Android spyware code to the cover websites—was assembled with the help of consumer AI tools. WithSecure named the group GreyVibe in a report published May 28, 2026. The C2 infrastructure runs on Moscow time. The malware panels are in Russian. And the lures are written in the kind of plausible Ukrainian a non-native speaker only gets by asking a language model.

Key Takeaways

  • WithSecure publicly named the GreyVibe cluster on May 28, 2026, after tracking the campaign since January. The group has been active since at least August 2025.
  • GreyVibe runs five parallel attack chains: PhantomMail (spear phishing), PhantomClick (fake CAPTCHA pages mimicking Zoom and LAPAS), PrincessClub (fraudulent Ukrainian adult-themed sites), DroneLink (fake FPV drone military charities), and Nebo (counterfeit Russian military communications portals targeting Ukrainian personnel).
  • The custom malware set includes LegionRelay and PhantomRelay (PowerShell RATs with credential theft, screen capture, and RDP), FallSpy (Android spyware that pulls contacts, call logs, location, and media), and four custom obfuscators: LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.
  • The operation used OpenAI's ChatGPT, Google's Gemini, and Ideogram AI across "almost every stage" of its operations—from drafting phishing emails to generating cover-site imagery to assisting with malware development.
  • Attribution to Russia is based on C2 timestamps set to UTC+3 (Moscow time), Russian language code comments and operator panels, and victimology aligned with Kremlin intelligence priorities. Researchers caveat that GreyVibe's tradecraft sits below mature nation state standards—possibly current or former cybercriminals.
A misty Eastern European industrial harbor at dawn with stacked shipping containers along a pier, soft fog drifting across the water, indigo and blue tones

Who Is GreyVibe?

GreyVibe is the cluster name WithSecure gave a previously undocumented threat actor that has been targeting Ukraine since August 2025. Per BleepingComputer's reporting on the WithSecure findings, the victimology spans Ukrainian military units, government ministries, civil society organizations, and Ukrainian businesses. The operators are assessed as Russian speakers operating in the Moscow time zone.

WithSecure stops short of calling the group a state actor. The tradecraft has gaps a mature service would not tolerate: reused infrastructure, sloppy operational security on the C2 panels, and a willingness to lean on commercial AI tools that any nation-state team would substitute for in-house alternatives. The honest read is that GreyVibe is either a contractor to a Russian service, or a criminal crew aligned with Kremlin objectives, or both at once.

What Are the Five Attack Chains?

Each chain solves a different victim segment:

  • PhantomMail — Traditional spear phishing. Emails carry a Google Drive or 4sync link to a malicious ZIP or RAR. The archive drops PhantomRelay or LegionRelay onto a Ukrainian government workstation.
  • PhantomClick — ClickFix style fake CAPTCHA pages posted at lookalike domains. The campaign clones the Zoom join flow and the LAPAS Ukrainian state services portal. Solving the "CAPTCHA" runs a PowerShell command on the victim's machine.
  • PrincessClub — Fraudulent Ukrainian adult themed websites. The malicious download is gated behind an "age verification" step that drops FallSpy on Android and a relay on Windows. The targeting suggests off duty and intelligence personnel browsing personal devices.
  • DroneLink — Fake Ukrainian military charity sites themed around FPV drones, asking for donations. The donation flow plants malware and harvests credentials from supporters and procurement officers alike.
  • Nebo — Counterfeit Russian military communications portals aimed at Ukrainian personnel who might be persuaded to log in—deserters, intelligence targets, double agents.

The five chains are not redundant. They are segmented by victim profile, which is a hallmark of campaigns built around a fixed intelligence brief rather than opportunistic crime.

What Does the Custom Malware Do?

Two RATs do the heavy lifting on Windows. LegionRelay is a PowerShell remote access trojan that pulls files, takes screenshots, harvests credentials from browsers and Outlook, and opens RDP sessions back to the C2. PhantomRelay is a sibling PowerShell RAT that adds dynamic script execution—the operator pushes new logic into the implant without redeploying. Both are PowerShell because PowerShell does not need to compile, doesn't sit on disk for long, and survives most off-the-shelf endpoint controls long enough to do its work.

FallSpy is the Android side of the operation. It collects the standard mobile spyware corpus: full contact list, SMS history, call logs, GPS location, microphone, and any media in the gallery. The PrincessClub and DroneLink chains both push FallSpy as the payload.

Surrounding all of this are four custom obfuscators—LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP—used to make each new build look different to signature-based detection. WithSecure released YARA rules for the families alongside the writeup.

How Did GreyVibe Use ChatGPT and Gemini?

Per The Register's coverage, the WithSecure researchers found AI-tool fingerprints across "almost every stage" of the operation. The clearest signals were three:

  1. Lure writing. The Ukrainian-language phishing emails are too consistent in idiom for a Russian-native author. Variations across spear phishing waves match the patterns that show up when an attacker iterates a prompt to "rewrite this in a different tone."
  2. Cover site imagery. The fake FPV drone charity (DroneLink) and the counterfeit Russian portals (Nebo) used original imagery that matches the visual signature of Ideogram AI, with characteristic compositional and lighting artifacts.
  3. Malware scaffolding. Boilerplate sections of the PowerShell RAT code—argument parsing, error handling, common WinAPI calls—match the patterns commercial assistants emit when asked to generate similar utility code. The unique logic is hand written; the glue is not.

This is the third campaign in 60 days where a state-aligned group has been caught using consumer LLMs as force multipliers. Earlier coverage of Belarus's GhostWriter using geofenced PDFs against Ukraine and the bandcampro Gemini key theft for crypto fraud are now part of a clear pattern: AI assistance lowers the bar enough that a mid-tier crew can put on a credible nation-state mask.

Who Is Most at Risk?

Three groups, in roughly this order:

  • Ukrainian military and government personnel using personal email or messaging on personal devices.
  • Diaspora Ukrainians—aid workers, journalists, NGO staff—whose contacts inside Ukraine make them intelligence-rich pivot targets.
  • Western suppliers and donors to Ukrainian defense and reconstruction efforts. The DroneLink chain is explicitly designed to harvest donor and procurement officer credentials.

Defenders should treat any inbound email referencing FPV drones, Ukrainian military charities, Zoom join links to lapas.gov.ua look-alikes, or Russian-side communication portals with the highest suspicion. WithSecure has published indicators of compromise; security teams covering Ukraine-adjacent organizations should pull the YARA rules and the C2 IP set into their detection stack today.

For anyone working with Ukrainian contacts via email, the operational baseline is the same one journalists have used for years: assume the lure will look perfect, assume the sender will look like someone you trust, and never open an attachment without confirming through a second channel. The tracking pixels in marketing-style phishing—the ones that confirm to the attacker that your inbox is alive and being read—are exactly what Gblock strips before they fire, denying GreyVibe-style operators the open-rate telemetry they use to tune their next wave.

What Happens Next?

GreyVibe will not stop. Public attribution typically forces an infrastructure rebuild but rarely ends a campaign of this size, especially one with a clear intelligence sponsor on the Russian side. Expect the next wave to use new domains, fresh certificates, and slightly different malware family names within four to six weeks.

The bigger question is whether OpenAI, Google, and Ideogram tighten the policy enforcement on the kinds of prompts GreyVibe was using to generate Ukrainian language military-themed content. The recurring pattern is becoming hard to defend: consumer AI tools are now part of the targeting pipeline for state-aligned espionage, and "we have a policy against that" is not the same thing as a control that fires when the policy is violated.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.