GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign

The Russia-nexus GREYVIBE cluster (2026-05-30 daily) gained independent in-window corroboration from SecurityWeek and Security Affairs of the original WithSecure Labs disclosure. The added detail: despite heavy AI integration in lure generation, the operators left Russian-language code comments and Moscow-timezone activity patterns that enabled attribution, and the PrincessClub sub-campaign masqueraded as Ukrainian-Armed-Forces charitable foundations (FPV-drone / UAV support) to harvest credentials. No expansion beyond Ukrainian targets was found. For CH/EU bodies with Ukraine-linked engagements, the relevant control is spear-phishing scrutiny on charity/fundraising lures referencing military support.