Latest Threats

GreyVibe — Russian-Aligned AI-Assisted Espionage vs Ukraine: LegionRelay/PhantomRelay PowerShell RATs & FallSpy Android Spyware (WithSecure) — Threadlinqs Intelligence

Threat ID: TL-2026-0622 · Severity: HIGH · Status: ACTIVE · Category: MALWARE

Attribution: GreyVibe · Russia · ESPIONAGE

GreyVibe is a likely Russian-aligned threat cluster targeting Ukrainian and Ukraine-related military, government, civilian, and business entities since at least August 2025 (disclosed by WithSecure in

GreyVibe is a threat cluster, tracked by WithSecure and disclosed publicly in 2026, that conducts espionage-oriented operations against Ukrainian and Ukraine-related organizations across the military, government, civilian, and business sectors. Activity dates to at least August 2025 and continued into 2026. Attribution to a Russian-speaking, likely Russian-aligned operator rests on the language used in the malware control panels, comments in code artifacts, and command-and-control (C2) server clocks configured to UTC+3 (Moscow time). WithSecure assesses the group lacks the operational discipline of a mature nation-state service — notably uploading development and test samples to public scanning platforms — and likely blends state-aligned tasking with current or former cybercriminal operators. A unique ISO builder links early/test samples to former TrickBot members (UAC-0098), who targeted Ukraine at the outset of the full-scale invasion. A defining trait of GreyVibe is the operational use of generative AI. WithSecure attributes the volume, diversity, and polish of the actor's lures to ChatGPT, Google Gemini, and Ideogram AI, which were used to generate realistic decoy documents, imagery, and social-engineering content, and to assist in writing malware and the group's custom obfuscators. The custom tooling family includes the LOOKVALPS (PowerShell) and LOOKVALJS / TEASOUPJS (JavaScript) loaders and the DAYLIGHT script obfuscator — code WithSecure assesses was likely produced with LLM assistance. The intrusion set is organized into five campaigns. PhantomMail uses spear-phishing emails that deliver malicious ZIP/RAR archives via Google Drive and 4sync links, opening decoy PDFs or fake error messages while staging loaders; observed lures impersonated Ukrainian government, emergency (DSNS), telecom, and energy (Centrenergo) entities, with Ukrainian-language filenames such as 'форма акта перевірки.XLS.js'. PhantomClick employs fake CAPTCHA/ClickFix pages disguised as Zoom (zoomconference.app/.click) and LAPAS (lapas.live) sites, using bogus Cloudflare verification prompts to trick victims into pasting and running self-infecting commands. PrincessClub stands up fake Ukrainian adult/dating websites that deliver FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware, operated with fake female Telegram personas (e.g. vikagogogo111) and WebRTC-based live video calls that capture victim audio/video. DroneLink uses fake Ukrainian military charity sites themed around FPV drones and UAVs (frontforce.org, ukrguard.org), sharing infrastructure and tooling with PrincessClub. Nebo presents fake Russian military communications (СПО НЕБО) login pages to convince Ukrainian military personnel they are accessing a Russian military terminal. LegionRelay is a PowerShell RAT supporting file theft, screenshot capture, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup. It persists via scheduled tasks masquerading as legitimate software ('Adobe working', 'AMD Checker', 'BackUp checker') and drops its client to paths such as C:\ProgramData\AMD\amd.ps1. It uses a Telegram dead-drop resolver (t.me/s/sdgsersergser) and HTTP C2 over port 8000 (e.g. 194.87.128.243:8000). PhantomRelay is a second PowerShell RAT supporting system fingerprinting, dynamic script loading, and arbitrary PowerShell/Windows command execution. Observed in V1, V2, and a 'Lite' variant, it persists via watchdog scripts (SysCheckupService.ps1, RzUpdateManager.ps1) and scheduled tasks impersonating system/Razer services, staging under %ProgramData%\WindowSystem and %LOCALAPPDATA%\Razer Update. PhantomRelayLite has also been seen in broader cybercrime activity, including Teams vishing and KongTuke-style delivery, indicating tool overlap between espionage and criminal use. RAT client and watchdog scripts are frequently obfuscated with DAYLIGHT. FallSpy is Android spyware used in the PrincessClub and Nebo campaigns purely for intelligenc

MITRE ATT&CK Techniques

T1583 Acquire Infrastructure; T1587 Develop Capabilities; T1588 Obtain Capabilities; T1585 Establish Accounts; T1566 Phishing; T1566 Phishing; T1189 Drive-by Compromise; T1059 Command and Scripting Interpreter; T1204 User Execution; T1204 User Execution; T1053 Scheduled Task/Job; T1027 Obfuscated Files or Information; T1140 Deobfuscate/Decode Files or Information; T1036 Masquerading; T1555 Credentials from Password Stores; T1082 System Information Discovery; T1113 Screen Capture; T1123 Audio Capture; T1125 Video Capture; T1119 Automated Collection; T1071 Application Layer Protocol; T1102 Web Service; T1219 Remote Access Software; T1021 Remote Services; T1041 Exfiltration Over C2 Channel; T1496 Resource Hijacking; T1636 Protected User Data (Mobile); T1430 Location Tracking (Mobile); T1533 Data from Local System (Mobile)

Target sectors: military, government, defense, energy, telecommunications, emergency-services, civilian, business

Target regions: Ukraine, Eastern Europe

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 34 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

MALWARE, HIGH, threat intelligence, cybersecurity, T1583, T1587, T1588, T1585, T1566, T1566, T1189, T1059, T1204, T1204

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison