CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 30, 2026

GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks

Cybersecurity News Archived May 30, 2026 ✓ Full text saved

GREYVIBE hackers are increasingly leveraging generative AI tools such as ChatGPT and Google Gemini to enhance cyberattack operations. The campaign, active since at least August 2025, primarily targets Ukraine and related entities across the government, military, and civilian sectors, highlighting a growing convergence between artificial intelligence and modern cyber warfare. WithSecure researchers identified GREYVIBE as […] The post GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyb

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News GREYVIBE Hackers Leverage ChatGPT and Google Gemini to Fuel Cyberattacks By Abinaya May 30, 2026 GREYVIBE hackers are increasingly leveraging generative AI tools such as ChatGPT and Google Gemini to enhance cyberattack operations. The campaign, active since at least August 2025, primarily targets Ukraine and related entities across the government, military, and civilian sectors, highlighting a growing convergence between artificial intelligence and modern cyber warfare. WithSecure researchers identified GREYVIBE as a previously untracked threat group exhibiting consistent overlaps in infrastructure, tooling, and operational behavior across multiple campaigns. While no definitive attribution has been established, the group’s activities strongly align with Russian state interests, particularly intelligence-gathering objectives linked to the ongoing Russia-Ukraine conflict. Supporting evidence includes Russian-language artifacts, Moscow time zone activity patterns, and targeting aligned with Ukrainian institutions. GREYVIBE Abuses ChatGPT, Gemini AI GREYVIBE employs a multi-vector attack strategy, combining spear-phishing emails, fake CAPTCHA verification pages, and fraudulent websites to distribute malware. In spear-phishing campaigns, attackers impersonate Ukrainian government agencies and distribute malicious archives via cloud services such as Google Drive. These payloads execute decoy documents while silently initiating infection chains using custom loaders. Another notable tactic involves fake CAPTCHA pages designed to trick victims into executing malicious commands under the guise of verification steps. Additionally, the group operates deceptive “adult club” websites targeting Ukrainian individuals, particularly military personnel.  Example of fake captcha site and prompted instructions (Ukrainian) (Source: Withsecure labs) These platforms not only deliver malware such as FallSpy for Android and PhantomRelay for Windows, but also engage in social engineering through fake personas on messaging platforms like Telegram. A key finding in the report is GREYVIBE’s systematic use of generative AI across the attack lifecycle. Tools such as ChatGPT, Google Gemini, and Ideogram AI were reportedly used to generate phishing lures, develop malware components, and support post-compromise activities. Researchers observed AI-generated code patterns in obfuscators and loaders such as DAYLIGHT and TEASOUP, as well as in the development of LegionRelay, a custom PowerShell-based remote access trojan. This AI-assisted approach appears to help the group compensate for limited technical sophistication while accelerating development cycles. It also reduces reliance on reused code, making traditional attribution methods more difficult. However, the group’s reliance on AI has introduced flaws. WithSecure identified design weaknesses in LegionRelay that exposed backend functionality, enabling researchers to monitor attacker activity over time.  Examples of LLM markers present across images used by GREYVIBE (Source: Withsecure labs) GREYVIBE’s malware toolkit includes PhantomRelay, a modular RAT that uses WebSockets for command execution, and FallSpy, an Android spyware that exfiltrates sensitive data, including contacts, location, and device information. LegionRelay further extends its capabilities by enabling file theft, screenshot capture, and exfiltration of messaging data. Despite its effectiveness, GREYVIBE demonstrates signs of operational immaturity. Researchers noted poor operational security practices, including uploading test samples to public platforms and inconsistent tooling. At the same time, overlaps with known cybercrime infrastructure suggest possible links to former or active cybercriminal actors, indicating a hybrid threat model. The emergence of GREYVIBE underscores how generative AI is reshaping the threat landscape. By lowering technical barriers and enabling rapid tool development, AI is empowering even moderately skilled actors to conduct complex cyber operations, complicating detection, attribution, and defense efforts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Google Employee Charged for Making $1.2 Million With Confidential Information New 0-Click WhatsApp Account Takeover Attack Targeting iOS 16 Users Malicious Websites Track Visitors by Analyzing their SSD Timing Activity ConnectWise Automate Vulnerability Let Attackers Bypass Security Checks Apache CXF LDAP Injection Vulnerability Let Attacker Retrieve Arbitrary Certificates Latest News Technology Post-quantum cryptography is not the future. It is your current reality.   Cyber Security News Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges Cyber Security News JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware Cyber Security News Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets Cyber Security From 200 CVEs to Actionable Fixes – DockSec Brings AI to Container Security
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 30, 2026
    Archived
    May 30, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗