PhantomRelay
PhantomRelay is a modular PowerShell-based remote access trojan (RAT) used by the GREYVIBE threat actor in campaigns targeting Ukraine and broader Eastern European entities since at least August 2025. It is described as a two-stage implant consisting of an initial fingerprinting script followed by the main RAT client. PhantomRelay profiles the host, executes PowerShell scripts and Windows commands, and communicates with command-and-control infrastructure over secure WebSocket connections. WithSecure tracks multiple variants, including PhantomRelayLite, PhantomRelayV1, and PhantomRelayV2; PhantomRelayV1 is noted as including a custom watchdog persistence mechanism. Delivery observed in GREYVIBE operations includes spear-phishing campaigns tracked as PhantomMail, where malicious ZIP or RAR archives hosted on Google Drive or 4sync contained JavaScript-based or PyInstaller-based loaders that launched decoy documents and initiated the PhantomRelay infection chain, and ClickFix-style fake CAPTCHA campaigns tracked as PhantomClick, where bogus Zoom- or LAPAS-themed pages tricked victims into running commands that installed the implant. PhantomRelay was also delivered via fraudulent Ukrainian adult-club lure sites in the PrincessClub campaign. Reported victim sectors include military, government, civilian, and business-related organizations, with confirmed Ukrainian targeting. The malware has also appeared in separate activity clusters outside the core Ukrainian espionage context, including Microsoft Teams voice-phishing and another ClickFix delivery chain observed between February and March 2026. Associated threat reporting links PhantomRelay primarily to GREYVIBE, a Russia-linked, Russian-speaking threat group assessed to align with Russian state intelligence interests while also showing ties to the broader cybercrime ecosystem.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For instance, PhantomRelay operates as a modular PowerShell-based remote access tool . This client establishes secure websocket connections to interact with command servers .
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniquePhantomRelay variants appeared in a Microsoft Teams voice-phishing campaign and a separate ClickFix delivery chain between February and March 2026...
Resource Development
1 techniquePhantomMail uses spear-phishing emails with links to malicious archives on Google Drive and 4sync, delivering JavaScript-based loaders and a PowerShell remote access trojan called PhantomRelay.
Initial Access
3 techniquesThe group has leveraged multiple attack vectors, including... fake captcha pages and fraudulent Ukrainian adult club websites, to deliver malware... PrincessClub... fake Ukrainian adult-club websites that deliver Android spyware called FallSpy, or Windows-based RATs depending on the victim’s device.
Initially, the threat actors initiated at least six unique email-based campaigns. These malicious messages deliver dangerous compression archives hosted on popular public storage services. Furthermore, the files contain automated script loaders that deploy localized documents.
The group has leveraged multiple attack vectors, including spear-phishing e-mails... PhantomMail uses spear-phishing emails with links to malicious archives on Google Drive and 4sync, delivering JavaScript-based loaders and a PowerShell remote access trojan called PhantomRelay.
Execution
5 techniquesFor instance, PhantomRelay operates as a modular PowerShell-based remote access tool.
PhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host and run PowerShell scripts and Windows commands.
PhantomMail uses spear-phishing emails with links to malicious archives on Google Drive and 4sync, delivering JavaScript-based loaders...
Subsequently, the interface instructs landing users to execute localized commands. These commands quietly spawn the primary backdoor client while redirecting users to safe destinations.
The archives contained PyInstaller- or JavaScript-based loaders that launched a decoy (e.g. a PDF document or an error pop-up) while initiating the PhantomRelay infection chain in the background.
Stealth
2 techniquesAcross these campaigns, the group has relied on custom developed obfuscators, loaders, and malware... WithSecure found evidence of AI assistance across multiple parts of the operation... obfuscation scripts...
PhantomClick uses fake CAPTCHA pages impersonating Zoom and LAPAS... DroneLink uses websites posing as charitable foundations supporting the Ukrainian military... Nebo uses a FallSpy sample designed to mimic a Russian military login screen...
Discovery
1 techniquePhantomRelay, a PowerShell-based remote access trojan (RAT) designed to profile the host...
Command and Control
3 techniquesThe RAT uses WebSockets to communicate with its C2 and supports execution of both PowerShell scripts and Windows commands.
This client establishes secure websocket connections to interact with command servers. Alternatively, the actors deploy a lightweight REST client called LegionRelay.
Furthermore, operators can push down extra modules to perform customized tasks on demand.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular PowerShell-based remote access tool that connects to command servers over secure WebSocket channels and supports delivery of additional modules for customized tasks.
A PowerShell-based remote access trojan used by GREYVIBE for victim compromise via spear-phishing and fake CAPTCHA/ClickFix-style lures.
A PowerShell-based remote access trojan used by GREYVIBE to profile infected hosts and execute PowerShell scripts and Windows commands. A variant, PhantomRelayV1, adds a custom watchdog persistence mechanism.
A modular PowerShell RAT delivered via multiple lure chains. It fingerprints victims, communicates over WebSockets, executes PowerShell and Windows commands, and loads additional scripts from C2. Variants include PhantomRelayLite, PhantomRelayV1, and PhantomRelayV2.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.