May 16, 2026 eBuilder signs an agreement for SOC/MDR with a TechHub
May 11, 2026 eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business
May 8, 2026 eBuilder signs a pentest agreement with a leading petrochemical producer
April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.
March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.
March 2, 2026 A communications/branding agency chooses eBuilders Complorer for cybersecurity training
March 2, 2026 Large international steel company chooses eBuilder as supplier for Penetration testing
March 2, 2026 Large international steel company chooses eBuilders Complorer for cybersecurity training
Company News
mobile-menu-icon
AI & Emerging Tech

Russia-Linked GreyVibe Built AI Malware That Exposed Its Own Operators

Date May 29, 2026 / 3 Min Read
Russia Linked GreyVibe Built AI Malware That Exposed Its Own Operators

A Russia-nexus group that researchers call GreyVibe has been using ChatGPT, Google Gemini and the image tool Ideogram to build its phishing lures, write its malware and run its post-compromise tooling. The Finnish security firm WithSecure which exposed the group this week says the case is a preview of how lower-tier attackers will operate.

GreyVibe has targeted Ukrainian military, government, civilian and business entities since at least August 2025, according to WithSecure. The firm discovered the activity in January 2026 and attributes it to Russian-speaking operators working in the Moscow time zone, based on the language in its malware panels, comments in the code and command-and-control servers set to UTC+3. WithSecure will not go further than that.

AI Across the Whole Attack Chain

What makes GreyVibe unusual is how much of its work appears to be AI-assisted. WithSecure found generative AI involved in lure development including images for its PrincessClub campaign and fake sites used in PrincessClub and PhantomClick, in resource development including obfuscation and loader scripts and the full build of a Windows implant called LegionRelay and in post-compromise tooling delivered through LegionRelay and PhantomRelay. The group reached targets through spear-phishing, fake captcha pages and fraudulent Ukrainian adult-club websites.

The “supercharge” framing around this story oversells it. GreyVibe’s AI-generated malware contained design flaws and those mistakes are exactly what let WithSecure monitor the group since mid-2025. Mohammad Kazem Hassan Nejad, a senior threat intelligence researcher at the firm, said what sets the group apart is “operational ambition powered by AI,” not raw technical skill. AI lifted a mediocre team above its natural ceiling and left fingerprints doing it.

A Group WithSecure Will Not Call Nation-State

This is where the report is more careful than the headlines. WithSecure is confident the operators are Russian-speaking but it will not classify GreyVibe as cybercriminal, nation-state or a hybrid of the two. It notes possible overlap with the TrickBot ecosystem and the group tracked as UAC-0098 while stopping short of a firm link. That restraint is the right call. The targeting aligns with Russian state interests but alignment is not direction, and a 48-hour nation-state label would have been premature.

For defenders, the useful output is concrete as WithSecure has published indicators of compromise tied to GreyVibe’s campaigns and tooling. They are available now.

Why a Ukraine-Focused Group Still Matters Here

GreyVibe’s victims are Ukrainian or Ukraine-related so this is not a direct warning to Nordic firms. The relevance is the method. A group that WithSecure, a Helsinki-based company, rates as short on elite tradecraft was still able to run varied campaigns and custom malware because AI filled its capability gaps. The floor for who can mount a credible intrusion has dropped. Treat AI-generated phishing and AI-built malware as a baseline threat, not an advanced one.

References

  1. A Russia-nexus group leveraging AI across state-aligned operations
  2. Russia-Linked ‘GreyVibe’ Attackers Use AI to Supercharge Cyberattacks
  3. GreyVibe hackers use ChatGPT, Gemini to power cyberattacks

This post is also available in: Svenska

Related News


Shadow AI Now Factors in One in Five Data Breaches

One in five data breaches last year involved AI tools that companies did not know their own staff were using. That figure comes from IBM's…

calendar June 2, 2026

GCHQ Chief Warns AI Is Being Weaponised Just Below the War Threshold

Artificial intelligence is being turned into a weapon that operates just below the threshold of open war, the head of GCHQ warned on Wednesday, and…

calendar May 29, 2026

IMF Warns AI Could Trigger Systemic Financial Crisis, Cites Anthropic Model

The International Monetary Fund has warned that AI-powered cyberattacks could trigger systemic disruption across global financial markets. In a blog published on 7 May, the…

calendar May 19, 2026

G7 Nations Release AI SBOM Framework to Map Supply Chain Dependencies

CISA and its Group of Seven partners released guidance this week outlining minimum elements for artificial intelligence software bills of materials, a framework that could…

calendar May 15, 2026
UK Government Warns Businesses After Anthropic AI Finds Thousands of Unpatched Vulnerabilities

UK Government Warns Businesses After Anthropic AI Finds Thousands of Unpatched Vulnerabilities

calendar April 16, 2026

Take the next step - secure your business

Ensure your company is protected against cyber threats. Contact us to learn more.

Contact Us
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.