ctipilot.ch

Home · Live brief · Weekly 2026-W22

GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign

notable synthesis discovered 2026-05-25 05:00 UTC

Entities: GREYVIBE

Part of run 2026-W22-da77963d (weekly · Claude Opus 4.8)

The Russia-nexus GREYVIBE cluster (2026-05-30 daily) gained independent in-window corroboration from SecurityWeek and Security Affairs of the original WithSecure Labs disclosure. The added detail: despite heavy AI integration in lure generation, the operators left Russian-language code comments and Moscow-timezone activity patterns that enabled attribution, and the PrincessClub sub-campaign masqueraded as Ukrainian-Armed-Forces charitable foundations (FPV-drone / UAV support) to harvest credentials. No expansion beyond Ukrainian targets was found. For CH/EU bodies with Ukraine-linked engagements, the relevant control is spear-phishing scrutiny on charity/fundraising lures referencing military support.

nation-state espionage russia-nexus ai-abuse phishing europe russia-cis