Russian‑Linked GREYVIBE APT Uses AI‑Assisted Malware to Target Ukrainian Military, Government and Business Sectors
What Happened — The GREYVIBE group, linked to Russian actors and active since 2025, has deployed AI‑enhanced malware through five distinct attack chains that rely on spear‑phishing, fake CAPTCHA pages, counterfeit adult‑club sites, charitable‑foundation fronts, and spoofed military login screens. Victims span Ukrainian military, government, civilian agencies and private enterprises.
Why It Matters for TPRM —
- AI‑driven toolsets lower the skill barrier, increasing the likelihood of successful compromises against third‑party vendors that support Ukrainian clients.
- The group’s multi‑vector approach (email, web lures, VPN installers) can bypass traditional perimeter controls, exposing supply‑chain partners to data theft or espionage.
- Persistent activity since 2025 indicates a long‑term campaign; any organization with Ukrainian ties should reassess its threat model.
Who Is Affected — Government, Military, Civilian agencies, and private businesses operating in or with Ukraine.
Recommended Actions —
- Review and harden email security (DMARC, anti‑phishing training, sandboxing of attachments).
- Block known malicious domains and IPs associated with GREYVIBE’s infrastructure.
- Conduct threat‑intel‑driven monitoring of third‑party vendors that handle Ukrainian data or provide services to Ukrainian entities.
- Validate that endpoint detection and response (EDR) solutions can detect AI‑obfuscated loaders and PowerShell‑based RATs.
Technical Notes —
- Attack vectors: spear‑phishing (malicious Google Drive/4sync links), fake CAPTCHA pages, counterfeit adult‑club sites, charitable‑foundation download pages, spoofed military login screens.
- Malware families: PhantomRelay (PowerShell RAT), FallSpy (Android spyware), LegionRelay (lightweight RAT), custom obfuscators and loaders.
- AI is used to generate polymorphic code and to automate credential‑harvesting scripts, complicating static detection.
Source: SecurityAffairs – Meet GREYVIBE, the Russia‑Linked Hacking Group Using AI to Target Ukraine