New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

WithSecure attributes a previously undocumented Russian-speaking threat actor tracked as GREYVIBE to ongoing cyber espionage against Ukrainian and Ukraine-related targets since August 2025. GREYVIBE operates multiple campaigns (PhantomMail, PhantomClick, PrincessClub, DroneLink, Nebo) delivering RATs and spyware (PhantomRelay, LegionRelay, FallSpy), uses spear-phishing, fake CAPTCHA and lure sites, and leverages generative AI to produce images, code, obfuscation, and infrastructure; investigators note ties to the criminal ecosystem and mixed sophistication with operational security flaws.