A Russian-speaking cyber group called GreyVibe, which researchers say operates in the Moscow time zone, is using generative AI tools such as ChatGPT, Google Gemini and Ideogram AI to carry out sophisticated cyberattacks against Ukrainian targets. The findings illustrate how commercially available AI platforms are increasingly being used to streamline and scale cybercriminal operations.
In a blog post published on May 28, researchers at WithSecure describe how the group employs custom-built obfuscators to generate deceptive content and deliver malware against military, government, civilian and commercial organizations in Ukraine.
According to the report, GreyVibe uses five main attack chains: PhantomMail, PhantomClick, Princess Club, DroneLink and Nebo.
AI streamlines established attack methods
Shane Barney, Chief Information Security Officer at Keeper Security, notes that the most remarkable aspect is not that the attack techniques themselves are new.
– What stands out about GreyVibe is not that the attack chains are entirely new; it is that AI is helping threat actors industrialize them, Barney explains.
He says AI enables attackers to produce more convincing phishing campaigns, fake websites, digital identities and social engineering materials at a scale that previously would have required far greater resources.
– The result is attacks that are more personalized, more credible and substantially harder for users to distinguish from legitimate communications, Barney adds.
Focus on identity-based defense
Barney warns that AI-assisted phishing attacks and credential theft campaigns are likely to continue growing in the coming years.
He recommends organizations strengthen identity-based defenses through robust password management, phishing-resistant multi-factor authentication, least-privilege access controls and continuous monitoring of privileged accounts.
– AI can make social engineering more effective, but the attackers’ fundamental goal remains the same: to steal credentials and gain unauthorized access to systems and data, Barney says.
Faster adaptation and greater resilience
Sergio Villegas, Senior Managing Analyst II at Bishop Fox, observes that AI and large language models allow threat actors to develop and adapt campaigns more quickly to local and regional conditions.
He says automating time-consuming tasks has already become a core part of many cyber operations and that creating tailored lures and documents is no longer unusual.
– Speed and precision are the major changes. AI makes it possible to generate content that is relevant to specific audiences and situations much faster, Villegas explains.
He also highlights that the ability to reuse or rapidly build new malicious infrastructure makes cybercriminal groups more resilient against takedowns and seizures of cloud and SaaS resources.
– Infrastructure takedowns become less effective when attackers can quickly spin up new environments and continue their operations, he says.
Lower barriers to advanced operations
Yagub Rahimov, CEO of Polygraf AI, believes the key takeaway from WithSecure’s report is not merely that another threat group uses generative AI.
– The truly notable point is that AI drastically reduces the time, staffing and specialist expertise required to run large-scale cyberoperations, Rahimov says.
He argues this shift changes the playing field for both attackers and defenders.
– Actors who previously lacked the resources to carry out credible, long-running operations can now do so much more quickly. At the same time, the same technology is available to defenders and attackers alike, reshaping cybersecurity’s landscape, he adds.
Security teams must meet AI with AI
Ram Varadarajan, CEO of Acalvio, describes AI as a powerful force multiplier for cybercriminal actors.
– The integration of AI effectively gives attackers a new superpower. They can create convincing fake content and tailored malicious code at speeds and scales we have not seen before, Varadarajan says.
He urges organizations to invest more in employee training while augmenting traditional security tools with AI-driven solutions capable of detecting suspicious behavior in real time.
– To keep pace with this evolution, security teams must move beyond conventional alerts and use intelligent tools that detect anomalous activity as it occurs. In many cases, it will mean meeting a bot with another bot, Varadarajan concludes.