GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
Summary
Hide ▲
Show ▼
GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian, and business targets. The operation has been active since at least August 2025 and uses multiple lure-and-delivery chains to push phishing, malware, and credential-theft workflows. Researchers linked the activity to a likely Russian-aligned operator set, though the group’s exact state affiliation remains unconfirmed.
Related Happenings
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
How related:
GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war.
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaHow related: GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war.
About this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
How related:
LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup.
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityHow related: LegionRelay supports file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup.
About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
First: 04.05.2026 14:57
Last: 04.05.2026 14:57
Sources 1
About this happening:
**Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
CampaignAbout this happening: **Silver Fox** is running a **tax-themed phishing campaign** that now targets **India** with **Income Tax Department** lures and delivers **ValleyRAT (aka Winos 4.0)**. The campai...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Timeline
-
28.05.2026 03:00 3 articles · 1d ago
WithSecure links GreyVibe to an AI-assisted cyberespionage campaign against Ukraine-linked organizations
Initial DisclosureWithSecure identified GreyVibe as a likely Russian threat group conducting cyberespionage against Ukrainian or Ukraine-related organizations, with activity active since at least August 2025 and discovered in January 2026. The operation used AI-generated lures and multiple custom tools to support spear-phishing, fake CAPTCHA/ClickFix pages, fake websites, and malware delivery across military, government, civilian, and business targets.
Show sources
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- GreyVibe hackers use ChatGPT, Gemini to power cyberattacks — www.bleepingcomputer.com — 29.05.2026 01:24
- New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks — thehackernews.com — 29.05.2026 14:31