HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

GreyVibe Threat Group Leverages AI (ChatGPT, Gemini) for Sophisticated Phishing and Malware Campaigns Targeting Ukrainian Entities

GreyVibe, a Russian‑linked group, is using large language models to auto‑generate phishing lures and build custom PowerShell RATs. The campaign, active since August 2025, focuses on Ukrainian government, military and private‑sector targets, raising supply‑chain risk for vendors with ties to the region.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

GreyVibe Threat Group Leverages AI (ChatGPT, Gemini) for Sophisticated Phishing and Malware Campaigns Targeting Ukrainian Entities

What Happened – A Russian‑linked threat group identified as GreyVibe has been running a multi‑year cyber‑espionage operation that uses large language models (ChatGPT, Google Gemini, Ideogram AI) to auto‑generate convincing phishing lures and to assist in building custom PowerShell‑based RATs (LegionRelay, PhantomRelay). The campaign, active since August 2025, targets Ukrainian government, military, energy, telecom and private‑sector organizations through spear‑phishing, fake CAPTCHA pages, and counterfeit adult‑dating sites.

Why It Matters for TPRM

  • AI‑augmented lures dramatically increase the success rate of social‑engineering attacks against third‑party vendors and their supply‑chain partners.
  • Custom malware built with LLM assistance can evade traditional signature‑based defenses, raising the risk of data exfiltration from vendor environments.
  • The focus on Ukrainian entities signals a geopolitical motive that may spill over to allied organizations and multinational supply chains.

Who Is Affected – Government & military agencies, energy & telecom providers, NGOs, and private enterprises with ties to Ukraine or Russian‑adjacent markets.

Recommended Actions

  • Review all vendor email security controls (DMARC, SPF, DKIM) and enforce strict attachment scanning.
  • Conduct AI‑phishing awareness training for staff and third‑party contacts.
  • Verify that endpoint detection platforms can detect PowerShell‑based RAT behaviors and enforce application whitelisting.

Technical Notes – Attack vectors include spear‑phishing (malicious ZIP/RAR via Google Drive/4sync), fake CAPTCHA/Cloudflare verification pages, and counterfeit Ukrainian‑themed websites. Malware families (LegionRelay, PhantomRelay) are PowerShell RATs capable of credential theft, screenshot capture, and exfiltration via Telegram/WhatsApp. No specific CVE is cited; the novelty lies in AI‑assisted code obfuscation tools (LOOKVALPS, DAYLIGHT, TEASOUP). Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/greyvibe-hackers-use-chatgpt-gemini-to-power-cyberattacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →