Russian-linked GreyVibe cluster weaponizes ChatGPT and Gemini to generate phishing lures targeting Ukrainian organizations.
GreyVibe, a likely Russian-nexus threat cluster, has been running active operations against Ukrainian organizations. The defining trait: the group uses ChatGPT and Gemini — off-the-shelf commercial AI models — to generate phishing lures with high linguistic quality.
The result bypasses the classic "bad grammar" detection heuristic defenders have relied on for years. Lures are contextually plausible, linguistically accurate, and *tailored to each target's language and operational context*.
GreyVibe pairs these AI-crafted lures with a custom malware toolkit. The AI handles the delivery layer; the malware handles post-compromise operations.
Producing credible spear-phishing at scale used to require native speakers and significant operational investment. ChatGPT and Gemini eliminate that friction. Any cluster with a paid API account can now generate hundreds of personalized lures per day.
APTs (state-sponsored hacker groups) don't need to train proprietary models. Commercial tools are sufficient — and because they're globally distributed, detecting *which model* generated a lure offers no defensive signal.
This breaks a core detection heuristic: flagging phishing by poor writing quality. That indicator is now unreliable against AI-assisted campaigns.
GreyVibe is a signal, not an outlier. Generative AI is already standard offensive infrastructure. Defenders who don't adapt their TTPs (tactics, techniques, and procedures — the attacker's playbook) to LLM-polished content will see systematic false negatives going forward.
Help more people discover BBLabs News.
Want to get news like this every day?
Browse all articles
