GREYVIBE uses ChatGPT and Gemini to target Ukraine
Key insights
- GREYVIBE has run five simultaneous AI-assisted attack chains against Ukraine since August 2025, using ChatGPT and Google Gemini as operational tools.
- Lower-skilled operators can manage five distinct attack chains by using AI to generate phishing content, obfuscated scripts, and backend infrastructure on demand.
- ESET assesses GREYVIBE as Kremlin-aligned, with LegionRelay as its primary post-compromise malware and intelligence gathering as its objective.
Why this matters
GREYVIBE is the first documented case of a state-aligned threat actor running five simultaneous AI-assisted attack chains, establishing that commercial AI has moved from experimentation into active operational use by nation-state actors. The group's use of ChatGPT and Gemini to generate obfuscated scripts and infrastructure decouples attack sophistication from operator skill level, widening the viable threat actor pool for any government willing to fund and deploy them. Ukrainian defenders and Western intelligence agencies now face detecting AI-generated attack artifacts designed to be contextually plausible and stylistically varied across five parallel campaigns at once.
Summary
ESET researchers disclosed GREYVIBE, a previously undocumented Russian-speaking threat actor targeting Ukrainian military, government, and civilian organizations since August 2025.
The group deploys ChatGPT, Google Gemini, and Ideogram AI to generate phishing imagery, obfuscated loader scripts, and backend infrastructure, enabling lower-skilled operators to run five simultaneous attack chains against diverse victim types.
Essentially: (GREYVIBE, ChatGPT, Gemini) a Kremlin-aligned threat actor is standardizing commercial AI tools across its entire attack pipeline.
- Attack vectors: spear-phishing emails, fake CAPTCHA pages, and fraudulent Ukrainian-themed websites.
- Post-compromise payload: LegionRelay malware, deployed across all five attack chains.
Commercial AI has compressed the skill floor for parallel cyberattacks to where a single state-aligned group can sustain five simultaneous campaigns against distinct target categories.
Potential risks and opportunities
Risks
- OpenAI and Google face regulatory scrutiny if GREYVIBE accounts operated for months undetected, with EU AI Act compliance teams likely to examine both companies' abuse-detection obligations
- Ukrainian networks with active LegionRelay implants may remain compromised beyond the ESET disclosure window, with no public estimate of affected organizations or the scope of data exfiltrated
- The five-chain AI-parallel attack model sets a replicable template that Iran-aligned groups (MuddyWater) and North Korea-aligned groups (Lazarus) could adopt using the same commercial AI stack within 12 months
Opportunities
- AI-assisted threat detection vendors (Recorded Future, Mandiant, CrowdStrike) can position AI-generated artifact detection as a new product category following the GREYVIBE disclosure
- Defensive AI providers with Ukraine-facing contracts (Palantir, Booz Allen's AI unit) gain immediate budget justification for AI-assisted defense and threat hunting capabilities in the region
- OpenAI and Google have a first-mover opportunity to publish documented threat-actor API misuse detection frameworks, strengthening their compliance positioning with NATO-aligned government customers
What we don't know yet
- Whether OpenAI or Google have been notified of GREYVIBE-linked accounts and what action either company has taken as of the May 2026 disclosure
- What intelligence GREYVIBE collected during the undetected window between August 2025 and ESET's May 2026 disclosure
- Whether LegionRelay has been shared with or sold to other Russian-aligned threat actors outside the GREYVIBE group
Originally reported by thehackernews.com
Read the original article →Original headline: New Russia-Linked Threat Actor GREYVIBE Uses ChatGPT and Google Gemini to Power Five Parallel AI-Assisted Cyberattack Chains Against Ukraine