ctipilot.ch

GREYVIBE

actor · actor:greyvibe-russia-nexus-ai-assisted-five-parallel-ukraine-attack

GREYVIBE — Russia-nexus AI-assisted threat cluster (Ukraine)

Coverage timeline
2
first 2026-05-25 → last 2026-05-30
Entries
2
2 distinct days
Sources cited
3
3 hosts
Sections touched
2
active-threats, weekly-long-running
Co-occurring entities
0
no co-occurrence
2026-05-252 appearances2026-05-30

Story timeline

  1. 2026-05-30GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
    active-threatsGREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
  2. 2026-05-25GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
    weekly-long-runningGREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign

Where this entity is cited

  • weekly-long-running1
  • active-threats1

Source distribution

  • labs.withsecure.com1 (33%)
  • securityweek.com1 (33%)
  • thehackernews.com1 (33%)

Entries about GREYVIBE (2)

2026-05-30 · view entry permalink →

GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs

notable threat discovered 2026-05-30 05:00 UTC

WithSecure Labs disclosed GREYVIBE on 28–29 May 2026, a previously-unnamed Russia-nexus threat cluster active since at least August 2025, targeting Ukrainian military, government, civilians, and businesses (WithSecure Labs, 2026-05-29; SecurityWeek, 2026-05-28). Five parallel attack chains: PhantomMail (spear-phishing with ZIP/RAR archives via Google Drive and 4sync), PhantomClick (fake CAPTCHA/ClickFix pages impersonating Zoom and LAPAS), PrincessClub (fraudulent adult-club sites with WebRTC-based social engineering), DroneLink (counterfeit Ukrainian Armed Forces charity sites), and Nebo (fake Russian military login portals). Core malware: LegionRelay (PowerShell RAT with file theft, screenshots, credential harvesting, RDP access; RC4 C2 comms), PhantomRelay (PowerShell RAT with dynamic script loading and watchdog persistence), and FallSpy (Android spyware for contact, call log, and geolocation extraction). Four custom obfuscators — LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP — were assessed as LLM-assisted developments. Attribution evidence: Russian-language panels and code comments; C2 servers in UTC+3 (Moscow time); OPSEC failures including public scan-platform uploads. WithSecure identifies possible links to UAC-0098 (former TrickBot associates). MITRE ATT&CK: T1566.001/T1566.002, T1059.001, T1005, T1204.001, T1133. Detection: alert on PowerShell spawned from archive-extraction utility parent processes; hunt scheduled tasks created by PowerShell beaconing to dynamic DNS; Android MDM alerts on sideloaded APKs accessing mic/camera. Organisations supporting Ukrainian government or civil-society counterparts are within the targeting scope.

nation-state espionage russia-nexus ai-abuse phishing europe global

2026-05-25 · view entry permalink →

GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign

notable synthesis discovered 2026-05-25 05:00 UTC

The Russia-nexus GREYVIBE cluster (2026-05-30 daily) gained independent in-window corroboration from SecurityWeek and Security Affairs of the original WithSecure Labs disclosure. The added detail: despite heavy AI integration in lure generation, the operators left Russian-language code comments and Moscow-timezone activity patterns that enabled attribution, and the PrincessClub sub-campaign masqueraded as Ukrainian-Armed-Forces charitable foundations (FPV-drone / UAV support) to harvest credentials. No expansion beyond Ukrainian targets was found. For CH/EU bodies with Ukraine-linked engagements, the relevant control is spear-phishing scrutiny on charity/fundraising lures referencing military support.

nation-state espionage russia-nexus ai-abuse phishing europe russia-cis