Russia-linked threat group put ChatGPT to work from lure to payload
Jump to main content
REG AD
Research
Russia-linked threat group put ChatGPT to work from lure to payload Researchers say 'GREYVIBE' crew used AI tools throughout a campaign targeting Ukrainian military and government
Carly Page Carly Page
Published fri 29 May 2026 // 12:49 UTC
Russia-linked cyber espionage crews appear to be using AI tools to help build malware, spin up infrastructure, and craft lures for attacks on Ukrainian targets.Researchers at WithSecure say a previously undocumented threat group, tracked as "GREYVIBE," has been using OpenAI's ChatGPT, Google's Gemini, and Ideogram AI across almost every stage of its operations targeting Ukraine. The campaign has hit military, government, civilian, and business organizations since at least August 2025.According to the report, GREYVIBE has used spear-phishing emails, fake CAPTCHA pages, and bogus Ukrainian adult club websites to lure victims into installing malware. The researchers linked the activity to Russian-speaking operators in the Moscow time zone who pursued targets aligned with Russian intelligence interests.
REG AD
What caught the researchers' attention, however, was the extent to which AI appears to be embedded throughout the operation.
REG AD
WithSecure said it found "strong evidence" that GREYVIBE systematically relied on AI tools for lure development, malware creation, infrastructure setup, obfuscation tooling, and post-compromise activity. The company said the group's use of AI appeared "operationally integrated rather than isolated or experimental.""The group's extensive use of GenAI and LLMs is a notable aspect of its tradecraft," wrote Mohammad Kazem Hassan Nejad, senior threat intelligence researcher at WithSecure. MORE CONTEXT Jammin' on UK defence secretary's jet as Russia blamed for GPS interference
Russians are posing as Signal support to launch phishing attacks
China remains embedded in US energy networks 'for the purpose of taking it down'
Moscow likely behind wiper attack on Poland’s power grid, experts say
"GREYVIBE appears to use AI not only for isolated development tasks, but across multiple operational phases. This likely enables the group to compensate for capability gaps, accelerate development cycles, and potentially reduce historical backlinks to prior activity."Despite all the AI tooling, GREYVIBE hardly comes across as a cyber espionage dream team. WithSecure says the operators repeatedly made operational security mistakes, uploaded malware to public services, and left behind development artefacts with names including "letsrollboyos," "totallyunsus," and "cuteuwu."In one particularly unfortunate own goal, researchers say design flaws in GREYVIBE's LegionRelay malware, which they suspect was developed with LLM assistance, exposed parts of its backend infrastructure and allowed them to monitor activity over an extended period.The report lands as security vendors continue arguing over whether AI will produce a new generation of elite cyber operators or simply make existing criminals faster and more productive. GREYVIBE looks a lot closer to the second category. ®
malware greyvibe chatgpt cyber espionage research security
REG AD
public sector
ICE to keep an eye on your eyes under $25M biometric scanner deal
And you thought a face recognition app was intrusive?
Security
No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out
Researcher reported the vuln in March. Maintainers haven't responded to his messages since
PARTNER CONTENT
AI and data sovereignty in Postgres: An answer to the datacenter energy crisis
A billion AI agents walk into a power grid
Legal
23andMe inherits lawsuit over 'disturbing' DNA data breach
California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker
Systems
EU's digital sovereignty boo-boo may be the best thing to ever happen to the project
DIY or die. Just don't let the CIA buy it
software
UCLA seeks pre-litigation resolution with Oracle
Discussion understood to concern delayed SaaS transformation project
MOST POPULAR
AI + ML Google has seriously leaned into AI enshittification lately Security Anthropic to release Mythos-class models to the public Security Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops Operating Systems Linus Torvalds to ‘start being more hardnosed’ about ‘pointless pull requests’ – some of which come from AIs