**GREYVIBE**: A New Player in the Cyber Espionage Arena According to a report by **WithSecure**, **GREYVIBE** is assessed to be a Russian-speaking group operating within the Russian time zone. Their activities align with Kremlin state interests, specifically focusing on intelligence gathering related to the ongoing Russo-Ukrainian war. "The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," said **WithSecure** researcher Mohammad Kazem Hassan Nejad. He added that the group relies on custom-developed obfuscators, loaders, and malware. The victimology spans military, government, civilian, and business-related organizations. Despite its nation-state-affiliated activities, **GREYVIBE** also shares ties to the broader Russian cybercrime ecosystem, with some members believed to be current or former cybercriminal actors. AI-Assisted Operations Evidence suggests that **GREYVIBE** is leveraging generative artificial intelligence (GenAI) and large language models (LLMs) to enhance its operations. **WithSecure** describes the group as "low-to-moderately sophisticated" but notes that AI-assisted tooling augments their malware development efforts. Attack Chains in Use **GREYVIBE** employs several attack chains, including: * **PhantomMail**: Spear-phishing emails delivering malicious ZIP or RAR archives hosted on Google Drive and 4sync, containing JavaScript-based loaders and a decoy document, along with PhantomRelay, a PowerShell-based remote access trojan (RAT). * **PhantomClick**: Exploits ClickFix-style fake CAPTCHA pages on bogus domains masquerading as Zoom and LAPAS to trick users into running commands that initiate a PhantomRelay infection chain. * **PrincessClub**: Uses fake Ukrainian adult-club websites to deliver FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows. Later iterations include a WebRTC-based live call feature to capture audio and video. FallSpy is an Android spyware, while LegionRelay is a lightweight PowerShell-based RAT. * **DroneLink**: Uses websites masquerading as charitable foundations supporting the Armed Forces of Ukraine to deliver WireGuard and LegionRelay. * **Nebo**: Employs a FallSpy sample mimicking a Russian-language login screen, likely targeting Ukrainian military personnel. AI's Role in Malware Development The diverse delivery vectors and tools likely result from using AI platforms like Ideogram AI, OpenAI ChatGPT, and Google Gemini to generate images and develop LegionRelay, as well as obfuscation and loader scripts, backend infrastructure, and post-compromise commands. According to **WithSecure**, AI usage offers several advantages: * Bridging gaps in technical expertise * Accelerating the development lifecycle * Reducing reliance on previously known malware or tools  Challenges in Attribution "If an actor can frequently generate, refactor, or replace components of its operational footprint with AI assistance, traditional clustering methods based on stable technical artifacts may become less reliable over time," Nejad stated. However, AI use has also introduced design flaws into LegionRelay, exposing its backend functionality, suggesting **GREYVIBE** may not be a purely state-sponsored actor. Cybercriminal Connections The group's ties to the cybercriminal ecosystem are based on factors such as: * Possible access to an ISO builder with suspected links to the **TrickBot** gang and UAC-0098. * PhantomRelay variants appearing in seemingly unrelated cybercrime activity clusters, including a **Microsoft** Teams voice phishing campaign and a KongTuke delivery chain using ClickFix. * Upload of early development samples to VirusTotal. * Use of internet slang terms in naming conventions. * Deployment of XMRig miner on infected machines. **WithSecure** assesses with moderate confidence that the group has ties to the broader cybercrime ecosystem and with low-to-moderate confidence that it involves current or former cybercriminal members. The exact nature of their relationship to the Russian state remains unclear. "The group occupies a grey area between cybercrime and state-affiliated activity, complicating attribution efforts and blurring traditional distinctions between these categories."