Russia-linked hackers use AI tools across entire espionage campaign against Ukraine
A Russian cyber espionage group has systematically used OpenAI's ChatGPT, Google's Gemini, and other AI tools to build malware, create fake websites, and craft phishing emails targeting Ukrainian military and government organizations. WithSecure researchers identified the group, tracked as GREYVIBE, operating from the Moscow time zone since at least August 2025.
The group's operations span military, government, civilian, and business targets aligned with Russian intelligence priorities. GREYVIBE deployed spear-phishing emails, counterfeit CAPTCHA pages, and bogus Ukrainian adult club websites to trick victims into installing malware.
AI embedded throughout operations
What distinguished GREYVIBE was the breadth of its AI use. WithSecure found "strong evidence" the group relied on generative AI across lure development, malware creation, infrastructure setup, code obfuscation, and post-compromise activity.
The integration appeared deliberate rather than experimental. Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure, said the group used AI "not only for isolated development tasks, but across multiple operational phases."
This approach likely allowed GREYVIBE to fill capability gaps, accelerate development timelines, and reduce connections to prior activity.
Operational mistakes undermined the campaign
Despite sophisticated AI tooling, GREYVIBE made repeated security errors. Operators uploaded malware to public services and left development artifacts with names like "letsrollboyos," "totallyunsus," and "cuteuwu."
Design flaws in the group's LegionRelay malware-suspected to have been developed with LLM assistance-exposed backend infrastructure. Researchers used those flaws to monitor the group's activity over an extended period.
The campaign suggests AI tools are making existing criminal operators faster and more productive rather than creating a new class of elite cyber attackers. GREYVIBE demonstrates that access to advanced AI doesn't guarantee operational security or technical sophistication.
What this means for government defenders
For government cybersecurity teams, the GREYVIBE campaign shows how threat actors integrate AI into attack workflows. Understanding these tactics requires familiarity with how generative AI and LLMs function and where they create vulnerabilities.
Security professionals defending against AI-enabled threats benefit from specialized training. An AI learning path for cybersecurity analysts covers how threat actors use these tools for malware development, infrastructure setup, and attack operations-critical knowledge for detecting and responding to campaigns like GREYVIBE's.
Your membership also unlocks:
