Russia-Linked 'GreyVibe' Attackers Use AI to Supercharge Cyberattacks

Russia-Linked 'GreyVibe' Attackers Use AI to Supercharge Cyberattacks

Briefly

"GreyVibe is a previously undocumented threat actor, described by WithSecure as a Russia-nexus group. The researchers are confident in their attribution of GreyVibe to Russian-speaking operators in the Moscow time zone, but are less certain whether the group is cybercriminal, nation-state - or a mix of the two."

"The primary focus of the group, targeting Ukrainian military, government, civilian, and business entities since August 2025, aligns closely with Russian state interests. At the same time, the researchers have detected numerous indications that at least some GreyVibe members may be socially less than optimum elite state operators - including, for example, their use of Internet slang-based naming conventions across early-stage development artefacts, such as 'letsrollboyos', 'totallyunsus', and 'cuteuwu'."

"Another clue that may suggest GreyVibe is not a pure state actor comes from its intensive use of AI across every phase of its operations, "from building fake websites and crafting lures to developing custom malware and generating post-compromise tooling," say the researchers. Their report adds resource development including obfuscation and loader scripts, and post-compromise scripts."

"However, while the researchers detected the use of top tier AI including Ideogram AI, ChatGPT, and Google Gemini, GreyVibe introduced design flaws into its LLM-generated LegionRelay Windows malware. Mistakes are not something normally attributed to elite actors. This mistake enabled WithSecure researchers to monitor and track GreyVibe activity over an extended period since mid-2025."