Russia-linked threat group put ChatGPT to work from lure to payload

Research

Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government

Russia-linked cyber espionage crews appear to be using AI tools to help build malware, spin up infrastructure, and craft lures for attacks on Ukrainian targets.Researchers at WithSecure say a previously undocumented threat group, tracked as "GREYVIBE," has been using OpenAI's ChatGPT, Google's Gemini, and Ideogram AI across almost every stage of its operations targeting Ukraine. The campaign has hit military, government, civilian, and business organizations since at least August 2025.According to the report, GREYVIBE has used spear-phishing emails, fake CAPTCHA pages, and bogus Ukrainian adult club websites to lure victims into installing malware. The researchers linked the activity to Russian-speaking operators in the Moscow time zone who pursued targets aligned with Russian intelligence interests.

What caught the researchers' attention, however, was the extent to which AI appears to be embedded throughout the operation.

WithSecure said it found "strong evidence" that GREYVIBE systematically relied on AI tools for lure development, malware creation, infrastructure setup, obfuscation tooling, and post-compromise activity. The company said the group's use of AI appeared "operationally integrated rather than isolated or experimental.""The group's extensive use of GenAI and LLMs is a notable aspect of its tradecraft," wrote Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure.