Russian-linked group GreyVibe used AI tool to build malware and lures

Researchers tracking a suspected Russia-aligned threat group found AI fingerprints in phishing emails and in the malware code itself, including a remote access trojan likely written with assistance from large language models.

What happened

A threat group tracked as GreyVibe has been running a cyberespionage campaign targeting government, military, civilian, and business organizations since at least August 2025. According to BleepingComputer, researchers who discovered the activity in January 2026 determined the group used ChatGPT, Google Gemini, and Ideogram AI to generate realistic phishing lures impersonating government agencies, emergency services, telecom providers, and energy companies. The same AI tools appear to have assisted in writing custom malware, including a PowerShell remote access trojan called LegionRelay capable of stealing files, capturing screenshots, harvesting browser credentials, and exfiltrating Telegram and WhatsApp data. The group's command-and-control servers are configured to UTC+3 (Moscow time), and code comments and malware panel language are in Russian. However, researchers stopped short of formally classifying GreyVibe as a confirmed nation-state operation.

Going deeper

GreyVibe ran several distinct campaign chains simultaneously. PhantomMail sent spear-phishing emails that delivered malicious ZIP and RAR archives via Google Drive and file-sharing links, using decoy PDFs or fake error messages to distract. At the same time, malware was deployed in the background. PhantomClick used fake CAPTCHA and ClickFix pages disguised as Zoom and other services, tricking victims into running self-infecting commands through fake Cloudflare verification prompts. Two other chains, PrincessClub and DroneLink, deployed FallSpy Android spyware through fake dating sites and military charity websites, using fake female Telegram personas and later WebRTC-based live calls that captured audio and video from targets. Researchers noted LegionRelay's coding patterns, and a separate set of custom obfuscation tools showed signs of large language model assistance, marking one of the first documented cases of AI being used for lure creation and for malware development in an active espionage campaign. Despite the operational sophistication of the multi-chain approach, researchers noted the group "lacked the level of sophistication and operational discipline typically associated with mature nation-state actors," and the presence of a cryptocurrency miner on some victim machines suggested possible cybercriminal elements within the group.

What was said

Researchers told BleepingComputer they are uncertain "whether former or current cybercriminal members have been absorbed into a state-backed group, operate independently but with state-directed tasking, or have formed a hybrid team involving state-affiliated and cybercriminal members." The group's use of an ISO builder associated with former TrickBot members who targeted Ukraine at the start of the Russian invasion provided one of the clearest links to prior criminal activity. However, researchers were careful to distinguish GreyVibe's state-aligned operations from the tool's cybercriminal use.

In the know

AI-assisted malware development was predicted, but rarely documented in active campaigns until now. KnowBe4's April 2026 phishing trends report found that 86% of phishing campaigns involve AI in some form, but that figure predominantly shows AI-generated lure content rather than AI-written malware code. According to The Hacker News, security researchers have demonstrated that large language models can generate functional malware variants faster than human developers. Still, GreyVibe represents one of the first threat groups where that capability has been confirmed in deployed campaign tooling rather than in proof-of-concept research.

The big picture

GreyVibe's campaign shows AI lowering the development ceiling for threat actors who previously lacked the technical depth to build custom malware. Generating realistic phishing content with AI was already documented across dozens of campaigns in 2025 and 2026. Using AI to write the malware itself is a meaningful escalation; it means groups operating below the technical threshold for custom tool development can now cross it. Healthcare organizations are not GreyVibe's documented targets, but the techniques the group used, ClickFix CAPTCHA abuse, AI-generated impersonation lures, and credential-harvesting trojans deployed through fake document notifications, are identical to those documented in healthcare-targeted campaigns throughout 2026. The Verizon 2026 Data Breach Investigations Report specifically noted that attackers are using AI at every stage of the breach chain, from target selection through malware deployment, and that defenders now have hours rather than months between vulnerability disclosure and active exploitation as a result.

FAQs

What evidence links GreyVibe to Russia?

Researchers identified Russian-language malware panel interfaces and code comments, command-and-control servers set to Moscow time, and an ISO builder previously associated with former TrickBot members who targeted Ukraine. None of this constitutes formal attribution to the Russian government, which is why researchers described the group as likely Russian-aligned rather than confirmed state-sponsored.

What does AI-assisted malware development actually mean in practice?

Large language models can generate functional code from natural language descriptions, debug existing code, and suggest evasion techniques. For GreyVibe, researchers found coding patterns in LegionRelay and custom obfuscation tools consistent with LLM output rather than human-written code. The practical result is a fully functional remote access trojan built faster and with less technical expertise than traditional development requires.

What is ClickFix, and why has it appeared in multiple 2026 campaigns?

ClickFix presents victims with a fake error or verification page that instructs them to paste a command into their system to fix a problem or complete a CAPTCHA. The command executes malware. The technique works by transferring the execution step to the victim, bypassing endpoint controls that block automated malicious downloads. Multiple threat groups adopted it through 2025 and 2026 because of its effectiveness against users who follow instructions.

Why would a state-aligned espionage group deploy a cryptocurrency miner on victim machines?

Cryptocurrency mining on victim infrastructure is typically a financially motivated activity associated with cybercriminals rather than espionage operations. Its presence on some GreyVibe victim machines supports the researchers' theory that the group includes former or current cybercriminals alongside state-directed components, creating a hybrid operation in which financial motives coexist with intelligence collection.

How should organizations defend against multi-chain campaigns like GreyVibe's?

No single control addresses all five of GreyVibe's documented attack chains simultaneously. Phishing-resistant multi-factor authentication limits the damage from credential harvesting. Mobile device management policies that restrict sideloading reduce exposure to Android spyware. Staff training specifically covering ClickFix and fake CAPTCHA techniques addresses the social engineering chain. Monitoring for unusual PowerShell execution and outbound connections to unfamiliar hosts catches post-compromise activity from tools like LegionRelay and PhantomRelay.