GreyVibe: How AI-Powered Malware Is Fueling a New Wave of Russian-Linked Espionage

WithSecure connected five distinct campaigns to GreyVibe by tracing shared infrastructure, malware, and operational patterns. Each campaign targets a specific vulnerability, from the inbox to the smartphone.

• PhantomMail: This spear-phishing campaign impersonates Ukrainian government and energy agencies. Victims receive emails with links to ZIP or RAR archives hosted on Google Drive or 4sync. Opening the file deploys the PhantomRelay infection chain while a decoy—such as a fake official PDF or an error message—masks the attack .
• PhantomClick: An evolution of the phishing playbook, this campaign uses a ClickFix technique. Victims are lured into running malicious PowerShell commands themselves through fake CAPTCHA prompts or Cloudflare security checks after clicking a link from a deceptive PDF, which might actually join a real Zoom meeting to avoid suspicion .
• PrincessClub: This operation targets individuals for mobile surveillance. Operators impersonate contacts on Telegram and direct victims to fake adult-content sites that deliver FallSpy Android spyware .
• DroneLink: A campaign specifically tailored to espionage against Ukrainian defense entities, using drone and military-themed lures to compromise networks .
• Nebo: Running concurrently from August 2025 onward, this campaign also distributes the FallSpy spyware but uses a distinct set of custom loaders .

A Toolkit Forged by Both Humans and Machines

GreyVibe’s effectiveness stems from a custom-made malware suite, parts of which WithSecure assesses with moderate confidence were built with significant assistance from LLMs like ChatGPT and Gemini. The design flaws introduced by this AI-assisted development proved to be a fatal operational error, granting researchers months of visibility into the group's activity .

• PhantomRelay: A Windows Remote Access Trojan (RAT) and the primary initial-access payload, delivered through PyInstaller or JavaScript-based loaders .
• LegionRelay: A more versatile second-stage tool, this PowerShell-based RAT communicates with command-and-control (C2) servers over a REST API. Its capabilities include file enumeration and exfiltration, screenshot capture, theft of data from browsers, Telegram, and WhatsApp, and RDP access. Researchers identified crucial coding flaws in LegionRelay that they judge are a direct result of LLM-assisted development .
• FallSpy: An Android surveillance tool used in the PrincessClub and Nebo campaigns since August 2025. It harvests contacts, call logs, installed apps, SIM details, device information, Wi-Fi SSID, location, public IP, and media files .
• Rotating Obfuscators: The group rotated through custom loaders and obfuscators to evade detection, including LOOKVALPS (PowerShell), LOOKVALJS (JavaScript), DAYLIGHT (PowerShell, replacing LOOKVALPS from October 2025), and TEASOUP (JavaScript, replacing LOOKVALJS from March 2026) .

State Actor, Cybercriminals, or a Hybrid? The Attribution Puzzle

While GreyVibe’s activities clearly serve Russian state interests, the group’s identity is not a simple state-actor attribution. WithSecure’s analysis points to a more complex and hybrid affiliation.

Researchers have high confidence that GreyVibe’s operations align with Russian intelligence-gathering objectives in the Ukraine conflict, based on victimology (military, government, and critical infrastructure targets) and observed actions on objectives . They are equally confident the operators are Russian-speaking and work in the Moscow time zone (UTC+3), based on code comments, admin panel language settings, and analysis of their working hours .

However, there is lower confidence regarding the group being a pure nation-state APT. Several clues suggest strong ties to the cybercrime ecosystem. PhantomRelay variants have appeared in unrelated cybercrime clusters, and the group used a unique ISO builder potentially linked to the infamous TrickBot ecosystem. Other indicators include operators uploading development samples to VirusTotal, using internet slang for naming conventions (like "letsrollboyos" and "cuteuwu"), and deploying an XMRig cryptocurrency miner on some LegionRelay-infected machines .

WithSecure assesses with moderate confidence that GreyVibe has connections to the broader criminal underground, but the exact nature of the relationship—whether absorbed state hackers, contracted affiliates, or a hybrid team—remains unclear. The assessment does note, however, that there is historical precedent for Russian intelligence co-opting cybercriminal groups for state-aligned work . In sum, GreyVibe appears to be a low-to-moderately sophisticated group that, through its aggressive weaponization of AI, "punches above its weight" with lethal operational effect .