FallSpy
FallSpy is an Android spyware first observed in August 2025 and associated with the GREYVIBE threat actor. It has been used in several GREYVIBE campaigns, including PrincessClub and Nebo, targeting Ukraine and broader Eastern European entities, including military, government, civilian, and business-related victims. In the PrincessClub campaign, fake Ukrainian adult-club websites and Telegram-based social engineering personas were used to induce victims to install malicious Android applications; depending on the victim device, the same lure infrastructure could also deliver Windows RATs. In the Nebo campaign, a FallSpy sample was designed to mimic a Russian military login screen, apparently to deceive Ukrainian military personnel.
Based on the reporting, FallSpy harvests sensitive data from compromised Android devices. Specifically documented capabilities include exfiltration of contact lists, call logs, installed applications, SIM-linked phone numbers, device and network information, Wi-Fi SSID, last-known location, public IP address, and media files. The malware was described as extracting local contact lists and call logs and as harvesting sensitive data from infected devices. High-confidence victimology includes Ukrainian combatants, with PrincessClub victims noted in Kharkiv. FallSpy is directly tied in the content to GREYVIBE’s Russia-linked espionage activity aligned with Russian state interests in the context of the Russia-Ukraine war.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For example, the custom FallSpy Android malware extracts local contact lists and call logs.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniquesFor example, the custom FallSpy Android malware extracts local contact lists and call logs.
The group has used fake female personas on Telegram, including via local dating channels, to build trust with victims before directing them to the lure sites or delivering malware directly.
Initial Access
1 techniqueThe group has leveraged multiple attack vectors, including... fake captcha pages and fraudulent Ukrainian adult club websites, to deliver malware... PrincessClub... fake Ukrainian adult-club websites that deliver Android spyware called FallSpy, or Windows-based RATs depending on the victim’s device.
Stealth
2 techniquesAcross these campaigns, the group has relied on custom developed obfuscators, loaders, and malware... WithSecure found evidence of AI assistance across multiple parts of the operation... obfuscation scripts...
PhantomClick uses fake CAPTCHA pages impersonating Zoom and LAPAS... DroneLink uses websites posing as charitable foundations supporting the Ukrainian military... Nebo uses a FallSpy sample designed to mimic a Russian military login screen...
Discovery
2 techniquesThe malware presents decoy content to the victim while covertly collecting and exfiltrating information from the victim’s device, including contacts, call logs, installed applications, SIM-linked phone numbers, device and network information, Wi-Fi SSID, last-known location, public IP, and media files.
The malware presents decoy content to the victim while covertly collecting and exfiltrating information from the victim’s device, including contacts, call logs, installed applications, SIM-linked phone numbers, device and network information...
Collection
2 techniquesThis live tool can actively record victim microphone feeds and video captures.
This live tool can actively record victim microphone feeds and video captures.
Exfiltration
1 techniqueLegionRelay is a lightweight PowerShell-based RAT that supports ... file exfiltration, screenshot capture, browser data theft, Telegram and WhatsApp data exfiltration...
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom Android spyware used in the PrincessClub campaign to harvest private information from infected devices, including contacts and call logs.
Android spyware delivered through fake lure websites and used in campaigns targeting Ukrainian victims, including military-themed deception.
An Android spyware used in GREYVIBE campaigns to harvest sensitive data from compromised mobile devices.
An Android spyware used for surveillance and intelligence gathering. It displays decoy content while covertly collecting contacts, call logs, installed apps, SIM-linked numbers, device/network info, Wi-Fi SSID, location, public IP, and media files for exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.