GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
Recorded: May 28, 2026, 11 p.m.
| Original | Summarized |
GreyVibe hackers use ChatGPT, Gemini to power cyberattacks News Featured Glassworm botnet disrupted after resilient C2 infrastructure takedown CISA gives feds 4 days to patch actively exploited cPanel plugin flaw Windows 11 KB5089573 update released with performance improvements Charter confirms data breach after ShinyHunters extortion threat GreyVibe hackers use ChatGPT, Gemini to power cyberattacks BTMOB Android malware service generates custom phishing payloads FBI warns of fake FIFA websites running World Cup fraud schemes Stop losing storage to duplicates—DupFiles is on sale for just $20 Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityGreyVibe hackers use ChatGPT, Gemini to power cyberattacks GreyVibe hackers use ChatGPT, Gemini to power cyberattacks By Bill Toulas May 28, 2026 A likely Russian threat group tracked as GreyVibe has been using AI-generated lures and a rich set of custom malware tools to target entities in the military, government, civilian, and business sectors. LLM markers in images used by GreyVibesource: WithSecure Overview of malware and campaign associationsSource: WithSecure The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Artificial Intelligence Bill Toulas Previous Article Post a Comment Community Rules You need to login in order to post a comment You may also like: Upcoming Webinar Popular Stories FBI warns of Kali365 phishing service targeting Microsoft 365 accounts Charter confirms data breach after ShinyHunters extortion threat Microsoft Defender can now automatically isolate hacked endpoints Sponsor Posts #1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends. AI is a data-breach time bomb: Read the new report Overdue a password health-check? Audit your Active Directory for free Protect Your Business from Ecommerce Fraud Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
A threat group identified as GreyVibe is reportedly leveraging artificial intelligence tools, such as ChatGPT and Gemini, to execute sophisticated cyberespionage campaigns targeting military, government, civilian, and business entities. This cyberespionage activity has been ongoing since at least August 2025 and appears to align with Russian state interests, although researchers note they cannot definitively classify it as a formal nation-state operation. Security company WithSecure uncovered this activity in January of the current year and determined the campaign's focus was on organizations related to Ukraine. The linguistic evidence, including malware panel language, code artifacts, and command-and-control server timings configured to UTC+3 (Moscow time), supports the link to a Russian-speaking threat actor. GreyVibe employed a diverse set of attack chains to achieve its objectives. These chains included PhantomMail, which utilized spear-phishing emails containing malicious ZIP/RAR archives delivered via Google Drive and 4sync links, often disguised with decoy PDFs or fake error messages, impersonating Ukrainian government, emergency, telecom, and energy organizations. PhantomClick involved creating fraudulent CAPTCHA or ClickFix pages designed to mimic Zoom and LAPAS sites, tricking victims into executing self-infecting commands through deceptive Cloudflare verification prompts. The PrincessClub campaign involved fake Ukrainian adult and dating websites used to distribute FallSpy Android spyware and Windows malware like PhantomRelay and LegionRelay, often utilizing fake female Telegram personas and adding WebRTC-based live calls to capture audio and video. Further campaigns included DroneLink, which involved fake Ukrainian military charity websites themed around FPV drones and UAVs, sharing infrastructure with the PrincessClub operations, and Nebo, which used fake login pages mimicking Russian military communications ("СПО НЕБО") to deceive Ukrainian military personnel into believing they were accessing a Russian terminal. The creation of these highly realistic lures and tools was significantly aided by the use of multiple AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate the detailed and believable content supporting these attacks. Furthermore, the threat actors utilized LLM assistance in developing custom obfuscators such as LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP. The researchers also suggested that the PowerShell-based remote access trojan LegionRelay was likely developed with the assistance of these AI tools. This malware facilitates various malicious functions, including file theft, screenshot capturing, browser credential theft, data exfiltration from Telegram and WhatsApp, and the setup of Remote Desktop Protocol access. Another malware deployed was PhantomRelay, a PowerShell Remote Access Trojan (RAT) capable of system fingerprinting, dynamic script loading, and execution of PowerShell and Windows commands. The campaign also employed the FallSpy Android spyware, which is dedicated to intelligence gathering, collecting contact lists, call logs, device and network information, location data, media files, and SIM information. While the overall activity is consistent with a state-aligned operation, WithSecure noted that the GreyVibe threat actor exhibited a lower level of sophistication and operational discipline typically associated with mature nation-state actors. This observation led researchers to hypothesize that GreyVibe may incorporate current or former cybercriminal actors. Evidence supporting this theory includes the use of a unique ISO builder associated with a group of former TrickBot members targeting Ukraine during the invasion's start, the uploading of development and test samples to a public scanning platform uncommon for nation-state actors, and the deployment of a cryptocurrency miner on some victim machines. The researchers remain uncertain about the exact composition of the threat actor, whether they are former or current cybercriminal members absorbed into a state-backed group, operate independently with state direction, or form a hybrid team of state-affiliated and criminal elements. Organizations can implement defenses against these malicious activities by utilizing the Indicators of Compromise provided by WithSecure. |